Air.Uni!.v[;rsity 


AIRFORCE  RESEARCH  INSTITUTE  PAPERS 


Panayotis  A.  Yannakogeorgos 


Strategies  for  Resolving 
the  Cyber  Attribution  Chaiienge 


PERSPECTIVES  ON  CYBER  POWER 


Report  Documentation  Page 

Form  Approved 

0MB  No.  0704-0188 

Public  reporting  burden  for  the  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information, 
including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington 

VA  22202-4302.  Respondents  should  be  aware  that  notwithstanding  any  other  provision  of  law,  no  person  shall  be  subject  to  a  penalty  for  failing  to  comply  with  a  collection  of  information  if  it 
does  not  display  a  currently  valid  0MB  control  number. 

1.  REPORT  DATE 

MAY  2013  2.  REPORT  TYPE 

3.  DATES  COVERED 

00-00-2013  to  00-00-2013 

4.  TITLE  AND  SUBTITLE 

Strategies  for  Resolving  the  Cyber  Attribution  Challenge 

5a.  CONTRACT  NUMBER 

5b.  GRANT  NUMBER 

5c.  PROGRAM  ELEMENT  NUMBER 

6.  AUTHOR(S) 

5d.  PROJECT  NUMBER 

5e.  TASK  NUMBER 

5f.  WORK  UNIT  NUMBER 

7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

Air  Force  Research  Institute  (AFRI),155  N.  Twining  St.,  Bldg 

693, Maxwell  AFB,AL, 361 12-6026 

8.  PERFORMING  ORGANIZATION 

REPORT  NUMBER 

9.  SPONSORING/MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 

10.  SPONSOR/MONITOR’S  ACRONYM(S) 

11.  SPONSOR/MONITOR’S  REPORT 
NUMBER(S) 

12.  DISTRIBUTION/AVAILABILITY  STATEMENT 

Approved  for  public  release;  distribution  unlimited 

13.  SUPPLEMENTARY  NOTES 

14.  ABSTRACT 

15.  SUBJECT  TERMS 

16.  SECURITY  CLASSIFICATION  OF:  17.  LIMITATION  OF 

_ _ _  ABSTRACT 

18.  NUMBER  19a.  NAME  OF 

OF  PAGES  RESPONSIBLE  PERSON 

a.  REPORT  b.  ABSTRACT  c.  THIS  PAGE  Same  aS 

unclassified  unclassified  unclassified  Report  (SAR) 

108 

Standard  Form  298  (Rev.  8-98} 

Prescribed  by  ANSI  Std  Z39-18 


AIR  UNIVERSITY 


Air  Force  Research  Institute 
Perspectives  on  Cyber  Power 


Strategies  for  Resolving  the  Cyber 
Attribution  Challenge 


Panayotis  a.  Yannakogeorgos 


CP-1 


Air  Force  Research  Institute 
Air  University  Press 

Maxwell  Air  Force  Base,  Alabama  361 12-6026 


Published  by  Air  University  Press  in  May  2013 


ISBN  978-1-58566-226-5 
ISSN  2329-5821 


Disclaimer 

Opinions,  conclusions,  and  recommendations  expressed  or  implied  within  are  solely  those  of  the 
authors  and  do  not  necessarily  represent  the  views  of  the  Air  Force  Research  Institute,  Air 
University,  the  United  States  Air  Force,  the  Department  of  Defense,  or  any  other  US  government 
agency.  Cleared  for  public  release:  distribution  unlimited. 


Air  Force  Research  Institute  Perspectives  on  Cyber  Power 

We  live  in  a  world  where  global  efforts  to  provide  access  to  cyber 
resources  and  the  battles  for  control  of  cyberspace  are  intensifying. 
In  this  series,  leading  international  experts  explore  key  topics  on 
cyber  disputes  and  collaboration.  Written  by  practitioners  and 
renowned  scholars  who  are  leaders  in  their  fields,  the  publications 
provide  original  and  accessible  overviews  of  subjects  about  cyber 
power,  conflict,  and  cooperation. 

As  a  venue  for  dialogue  and  study  about  cyber  power  and  its  relation¬ 
ship  to  national  security,  military  operations,  economic  policy,  and 
other  strategic  Issues,  this  series  aims  to  provide  essential  reading 
for  senior  military  leaders,  professional  military  education  students, 
and  interagency,  academic,  and  private-sector  partners.  These 
intellectually  rigorous  studies  draw  on  a  range  of  contemporary 
examples  and  contextualize  their  subjects  within  the  broader 
defense  and  diplomacy  landscapes. 

These  and  other  Air  Force  Research  Institute  studies  are  available 
via  the  AU  Press  website  at  http://aupress.au.af.mil/papers.asp. 
Please  submit  comments  to  afri. public®  maxwell.af.mil 


This  paper  is  dedicated  to  my  parents 


Everyone  is  to  consider  the  same  person  a  friend  or 
enemy  as  the  city-state  does,  and  if  someone  should 
make  peace  or  war  with  certain  parties  in  private,  apart 
from  the  community,  the  penalty  is  to  be  death.  ...  If 
some  part  of  the  city-state  should  by  itself  make  peace 
or  war  with  certain  parties,  the  Generals  are  to  bring 
those  responsible  for  this  action  into  court,  and  the  Judi¬ 
cial  penalty  for  someone  who  is  convicted  shall  be  death. 


— Plato,  Laws:  Book  I,  630e-631a 


Contents 


List  of  Illustrations  vii 

Foreword  ix 

About  the  Author  xiii 

Acknowledgments  xv 

Executive  Summary  xvii 

1  Introduction  1 

2  The  Cyber  Environment  9 

A  Holistic  View  of  Cyberspace  10 

Multistage,  Multijurisdictional  Attacks  13 

Spoofing  Machines  to  Mask  Geography  14 

3  American  Sponsorship  of  Embryonic  Global 

Norms  35 

American  Sponsorship  of  Global  Norms  38 

The  Anti-trafficking-in-Persons  Initiative  39 

The  Global  Culture  of  Cybersecurity  and 
Embryonic  Norms  for  State  Responsibility 
in  Cyberspace  4 1 

The  Global  Cybersecurity  Behavioral  Baseline  42 

The  WSIS  and  Global  Cybersecurity  46 

Internationally  Wrongful  Acts  in  Cyberspace  50 

4  A  Framework  for  Development,  Diplomacy, 

and  Defense  55 

Development,  Diplomacy,  and  Defense  Responses  57 
A  Need  for  Norms  on  Cyber  Weapons  60 

Language  for  “Victims  of  Trafficking  in  Malicious 

Code”  Legislation  61 

Leading  by  Example:  US-based  Entities’ 

Responsibility  65 


u 


5  Conclusion  69 

Where  Do  We  Go  from  Here?  69 

Linking  It  All  Together  70 

Abbreviations  73 

Bibliography  75 


VI 


Illustrations 


Figures 

1  Characteristics-based  model  of  cyberspace  1 1 

2  Outline  of  a  bypotbetical  multistage, 

cross-jurisdictional  attack  14 

3  How  TOR  works  1 7 

4  Some  necessary  conditions  for  cyber  attacks  19 

5  Attack  agents  and  capabilities  19 

6  Spectrum  of  cyber  conflict  2 1 

7  Spectrum  of  cyber  operations  23 

8  Incident  response  teams  around  tbe  world  28 

9  Necessary  components  of  a  CERT  30 

10  Sanitary  ISP  31 

1 1  Number  of  participants  at  WSIS  47 

12  Model  of  a  Tier -one  country  63 

Tables 

1  Motivating  factors  and  targeted  infrastructures  20 

2  Norm  lifecycles  and  American  support  37 

3  Foundations  of  tbe  global  culture  of  cybersecurity  44 

4  US  cyber  retaliation  framework  56 

5  Malicious  activity  by  source  66 

vii 


Foreword 


Today’s  complex  and  interdependent  global  eeonomy  relies 
heavily  on  an  Internet  infrastrueture  that  is  fraught  with  risks, 
threats,  and  hazards  the  average  eomputer  user  or  small-  and 
medium-sized  enterprise  is  unaware  of  and  unprepared  for. 
Confldenee  in  the  ability  to  effeetively,  effieiently,  and  seeurely 
eonduet  eommeree  and  business  proeesses  over  the  Internet 
and  through  emerging  mobile  deviee  applieations  is  vital  and 
fundamental  for  vibrant  and  stable  eeonomies  around  the 
globe.  The  world  faees  unpreeedented  risks  aeross  the  Internet 
in  what  has  beeome  known  as  “the  twenty-first  eentury’s  Wild 
West,”  where  attaeks  on  eomputer  systems  and  networks  are 
generally  eondueted  with  eomplete  anonymity  and  immunity 
for  those  perpetrating  these  aets. 

The  generally  inseeure  nature  of  our  intereonneeted  environ¬ 
ment  ean  be  traeed  to  several  faetors: 

1.  For  over  40  years  universities  have  taught  eourses  on  de¬ 
signing  and  writing  eomputer  eoding.  When  these  eollege- 
level  eourses  were  first  established,  we  lived  in  a  world 
where  no  one  ever  imagined  the  intereonneetivity  that 
would  evolve  and  beeome  so  eentral  to  our  lives  today. 
Computer  systems  were  stand-alone  and  not  networked  to 
third  parties  that  performed  various  serviees  or  support. 
As  the  intereonneetivity  of  the  Internet  evolved,  few  people 
realized  the  inherent  flaws  and  laek  of  sound  seeurity  mea¬ 
sures  in  legaey  systems  or  new  systems  that  were  devel¬ 
oped  utilizing  legaey-style  programming  methodologies. 

2.  Legaey  eomputer  hardware,  middleware,  and  network 
designers  also  overlooked  or  outright  ignored  building  in 
seeurity  measures,  as  they  were  viewed  as  negatively  af- 
feeting  performanee,  output,  or  throughput  and  were 
generally  deemed  unneeessary. 

3.  Both  software  developers  and  hardware  manufaeturers 
established  an  environment  from  the  beginning  where 
they  aeeepted  no  liability  or  responsibility  for  any  loss, 
delay,  disruption,  or  other  aetion  that  might  affeet  the 
purehaser/user  eommunity,  whether  eaused  direetly  or 

ix 


indirectly  by  the  systems,  hardware,  or  software  supplied. 
This  “use  at  your  own  risk”  disclaimer  to  liability  has 
manifested  itself  into  a  patch  management  nightmare. 
Every  new  release  of  software  or  hardware  is  regularly  fol¬ 
lowed  with  periodic  security  patches.  These  patches  deal 
with  flaws  that  the  rush-to-market  mentality  of  the  man¬ 
ufacturers  and  producers  created  by  failing  to  take  a 
duty-of-care  philosophy  in  product  design  and  delivery. 
Early  on  in  the  evolution  of  software,  hardware,  and  net¬ 
works,  people  became  accustomed  to  computer  bugs  and 
other  design  flaws  that  they  simply  accepted  as  the  norm. 
Rarely  has  a  single  industry  benefitted  from  such  a  de¬ 
sensitized  consumer  population,  which  has  allowed  the 
producers  and  manufacturers  to  skirt  responsibility  and 
liability  for  the  flawed  products  and  systems  they  produce. 

4.  Individuals,  corporate  executives,  and  elected  officials 
have  very  little  understanding  of  the  scope  of  the  risks 
and  threats  they  face  through  computer  systems  and  net¬ 
works  that  are  ultimately  linked  through  the  Internet  to¬ 
day.  To  further  highlight  this  point,  a  joint  study  on  cyber - 
based  crime  conducted  by  Verizon  and  the  US  Secret 
Service  indicated  that  in  65  percent  of  the  data  breach 
cases  they  reviewed,  a  third  party  notified  unsuspecting 
victims  that  they  had  been  subjected  to  a  breach  in  their 
computer  system  or  network.  Additionally,  a  report  issued 
by  the  White  House  in  2009  conservatively  estimated  the 
value  of  the  loss  of  US  intellectual  property  as  a  result  of 
just  cyber  hacking  at  more  than  $1  trillion  in  2008  alone. 

When  resourceful  individuals,  organized  criminals,  extremist 
groups,  and  ultimately  nation-states  started  to  exploit  these 
inherent  weaknesses  in  computer  programs,  networks,  and 
hardware,  a  cottage  industry  was  formed.  These  new  compa¬ 
nies  focused  on  measures  to  counter  computer  attacks  with 
firewalls  and  antivirus  protection.  Software  developers  also 
provide  a  continuous  flow  of  patches  to  fix  the  flaws  that  con¬ 
tribute  to  these  exploitations.  It  wasn’t  until  the  arrival  of  the 
twenty- first  century  that  universities  started  to  include  preven¬ 
tative  security  measures  into  their  coursework  as  a  key  basis  of 
design  for  software  and  hardware. 


X 


A  patchwork  of  state  and  federal  laws  and  regulations  has 
developed  aeross  the  United  States  and  around  the  globe  to 
begin  to  deal  with  eomputer -related  erime.  Issues  sueh  as  eon- 
flieting  state  laws  and  requirements  to  notify  individuals  if  their 
personally  identifiable  information  has  been  subjeeted  to  a 
eomputer  breaeh  have  ereated  eonfusion  and  exeessive  eosts  of 
eomplianee.  The  eomplexity  of  the  privaey  proteetion  laws 
aeross  the  European  Union,  as  well  as  individual  eountries  in 
the  EU  having  their  own  set  of  eomplex  laws  and  regulations 
dealing  with  privaey  and  data  breaehes,  has  also  ereated  dra- 
matie  levels  of  diffieulty  in  establishing  eomplianee  regimes. 

To  instill  trust  and  order  in  the  Internet  as  a  key  faeilitator  of 
global  eommeree,  a  number  of  things  must  be  aeeomplished: 

•  Harmonizing  of  laws  and  regulations  dealing  with  eom¬ 
puter  software,  hardware,  and  networks  to  ensure  that 
eomplianee  is  inereased  and  that  noneomplianee  ean  be 
easily  identified  and  dealt  with  swiftly. 

•  Holding  software  produeers,  hardware  manufaeturers, 
and  network  providers  liable  for  delivery  of  flawed  produets 
and  sendees  that  eontribute  direetfy  or  indireetfy  to  the 
loss,  disruption,  or  denial  of  sendees  of  those  using  the 
systems,  hardware,  or  networks.  Liability  exposure  will 
foree  these  produeers,  manufaeturers,  and  providers  to 
ensure  that  in-depth  seeurity  is  built  into  their  produets 
before  they  are  delivered  to  market  and  is  maintained  after 
they  are  operational. 

•  Establishing  treaties  to  ensure  that  no  individual,  orga¬ 
nized  eriminal  or  extremist  group,  or  nation-state  can  oper¬ 
ate  with  anonymity  or  immunity  on  the  Internet  and  that 
they  be  held  aeeountable  for  their  aetions.  Nation-states 
must  be  held  responsible  for  rooting  out,  stopping,  and 
bringing  to  justiee  any  individual,  group,  or  entity  eommit- 
ting  any  illegal  aet  over  the  Internet. 

Instituting  a  robust  system  of  monitoring,  eontrols,  and 
sanetions  to  ensure  that  the  Internet  funetions  as  a  trusted 
and  heavily  defended  environment  that  fosters  eooperation, 
eollaboration,  and  eommeree  will  have  a  dramatie  effeet  on  the 


XI 


stability,  viability,  and  resilience  of  our  interconnected  global 
economy. 


Lynn  Mattice,  President  and  Founder 
National  Economic  Security  Grid 
lmattice@nesgusa.org 


About  the  Author 


Dr.  Panayotis  “Pano”  A.  Yannakogeorgos  is  a  research  pro¬ 
fessor  of  cyber  policy  and  global  affairs  at  the  Air  Force  Research 
Institute.  His  expertise  includes  the  intersection  of  cyberspace, 
national  security  and  military  operations,  cyber  international  re¬ 
lations,  cyber  arms  control,  violent  nonstate  actors,  and  the 
Eastern  Mediterranean.  He  has  recently  authored  articles  and 
chapters  including  “Internet  Governance  and  National  Securiiy,” 
Strategic  Studies  Quarterly;  “Challenges  in  Monitoring  Cyber  Arms 
Control,”  Journal  of  Information  Warfare  and  Terrorism;  “Pitfalls 
of  the  Private -Public  Partnership  Model,”  Crime  and  Terrorism 
Risk:  Studies  in  Criminology  and  Criminal  Justice;  and  “Cyber¬ 
space:  The  New  Frontier  and  the  Same  Old  Multilateralism”  in 
Global  Norms:  American  Sponsorship  and  the  Emerging  Pattern  of 
World  Politics.  He  has  also  published  in  the  Atlantic,  the  National 
Interest,  and  the  Diplomat.  Prior  to  his  current  position.  Dr. 
Yannakogeorgos  taught  graduate-level  courses  on  globaliza¬ 
tion,  security,  and  intelligence  at  Rutgers  University’s  Division 
of  Global  Affairs,  where  he  also  served  as  senior  program  coordi¬ 
nator  and  led  the  Center  for  the  Study  of  Emergent  Threats  in 
the  Twenty-First  Century.  He  has  participated  in  the  work  of 
global  cybersecurity  bodies  including  the  High  Level  Experts 
Group  of  the  Global  Cybersecurity  Agenda  of  the  International 
Telecommunications  Union.  In  2006  he  served  as  an  adviser 
within  the  United  Nations  Security  Council  on  issues  related  to 
nuclear  nonproliferation,  the  Middle  East  (including  Iran), 
al-Qaeda,  and  Internet  misuse.  He  holds  a  doctorate  and  a 
master  of  science  in  global  affairs  from  Rutgers  University  and 
a  bachelor  of  liberal  arts  in  philosophy  from  Harvard  University. 


Acknowledgments 


This  project  concludes  research  ongoing  from  January  2011. 
Several  individuals  helped  refine  my  thinking  and  mature  the 
ideas  found  herein.  Grateful  acknowledgement  is  extended  to 
the  following  for  their  support  in  my  fulfillment  of  this  project. 
First,  to  the  AFRl  team:  Gen  John  A.  Shaud,  USAF,  retired,  Dr. 
Dale  Hayden,  Mr.  Steve  Hagel,  and  Dr.  Tony  Gould.  Second, 
there  are  the  many  individuals  with  whom  1  discussed  and 
shared  versions  of  this  monograph,  including  Lt  Gen  Robert  J. 
Elder  Jr.,  USAF,  retired.  Dr.  Simon  Reich  of  Rutgers  University, 
Mr.  Jason  Healey  of  the  Atlantic  Council,  Dr.  Roger  Hurwitz  of 
MIT,  Ms.  Judith  Strotz  of  the  Department  of  State,  Ms.  Jody 
Westby  of  Global  Cyber  Risk,  Mr.  Sean  Kanuck  of  the  Office  of 
the  Director  of  Naval  Intelligence,  Dr.  Duncan  Hollis  of  Temple 
University,  Mr.  Lynn  Mattice  of  the  National  Economic  Security 
Grid,  Airmen  of  the  Twenty-Fourth  Air  Force,  and  others  serving 
silently.  Finally,  a  heartfelt  acknowledgment  is  extended  to  Ms. 
Jeanne  Shamburger  and  Mr.  Jim  Howard  at  Air  University 
Press,  who  helped  prepare  the  final  manuscript. 


XV 


Executive  Summary 


Malicious  cyber  actors  exploit  gaps  in  teehnology  and  inter¬ 
national  eyberseeurity  eooperation  to  launeh  multistage,  multi- 
jurisdietional  attaeks.  Rather  than  eonsider  teehnieal  attribu¬ 
tion  the  ehallenge,  a  more  aeeurate  argument  would  be  that 
“solutions  to  preventing  the  attaeks  of  most  eoneern,  multi¬ 
stage  multi-jurisdietional  ones,  will  require  not  only  teehnieal 
methods,  but  legal/poliey  solutions  as  well.”^  Deep  understand¬ 
ing  of  the  soeial,  eultural,  eeonomie,  and  politieal  dynamies  of 
the  nation-states  where  eyber  threat  aetors  operate  is  eurrently 
laeking.  This  projeet  aims  to  develop  a  qualitative  framework  to 
guide  US  poliey  responses  to  states  that  are  either  origin  or 
transit  eountries  of  eyber  attaeks. 

The  eurrent  foeus  of  attribution  efforts  within  the  national 
seeurity  eontext  eoneentrates  on  law  enforeement  paradigms 
aiming  to  gather  evidenee  to  proseeute  an  individual  attaeker. 
This  is  usually  dependent  on  teehnieal  means  of  attribution. ^ 
In  malieious  eyber  aetions,  spoofing  or  obfuseation  of  an  iden¬ 
tity  most  often  oeeurs.  It  is  not  easy  to  know  who  eonduets 
malieious  eyber  aetivity.  But  private  seetor  reports  have  proven 
that  it  is  possible  to  determine  the  geographie  referenee  of 
threat  aetors  to  varying  degrees.^  Based  on  these  assumptions, 
nation-states,  rather  than  individuals,  should  be  held  eulpable 
for  the  malieious  aetions  and  other  eyber  threats  that  originate 
in  or  transit  information  systems  within  their  borders  or  that 
are  owned  by  their  registered  eorporate  entities.  This  work 
builds  on  other  appealing  arguments  for  state  responsibility  in 
eyberspaee.'^  Engaging  the  global  eommunity  to  develop  a  global 
eulture  of  eyberseeuriiy  is  a  requirement  for  beginning  the  mitiga¬ 
tion  of  the  risks  of  eountries  being  used  for  transiting  or  originat¬ 
ing  of  malieious  eyber  aets.  The  United  States  will  need  to  build  a 
framework  based  on  the  artieulated  norms  of  responsible  state 
behavior  in  eyberspaee  to  legitimize  this  global  engagement.^  I 
offer  sueh  a  framework  here  as  a  starting  point  for  diseussion  at 
this  early  stage  in  international  eyber  poliey  development. 

Teehnieal  ehallenges  are  not  a  great  hindranee  to  global  eyber 
seeurity  eooperation;  rather,  a  nation’s  laek  of  eyberseeurity 
aetion  plans  that  eombine  teehnology,  management  proee- 
dures,  organizational  struetures,  law,  and  human  eompeteneies 


xvii 


into  national  security  strategies  are.®  As  concluded  in  the  2010 
Quadrennial  Defense  Review,  the  2010  National  Security 
Strategy,  International  Strategy  for  Cyberspace,  and  the  2011 
Department  of  Defense  Strategy  for  Operating  in  Cyberspace, 
strengthening  international  partnerships  to  secure  the  cyber 
domain  will  require  understanding  the  technical,  legal,  and  de¬ 
fense  challenges  faced  by  our  international  partners.^  The  re¬ 
search  project  is  also  firmly  within  the  scope  of  the  administra¬ 
tion’s  Comprehensive  National  Cybersecurity  Initiative  and 
International  Strategy  for  Cyberspace  and  the  Department  of 
Defense  Strategy  for  Operating  in  Cyberspace.  These  also  tie  in 
with  the  Office  of  Science  and  Technology  Policy’s  research 
tasking  to  “provide  knowledge  in  support  of  laws,  regulations, 
and  international  agreements.’’® 

Identifying  the  gaps  in  international  cooperation  and  their 
socioeconomic  and  political  bases  will  provide  the  knowledge 
required  to  support  our  partners’  cybersecurity  and  contribute 
to  building  a  cyber  environment  less  hospitable  to  misuse.  It 
will  also  help  US  policy  makers  to  determine  the  appropriate 
escalation  of  diplomatic  and  defensive  responses  to  irrespon¬ 
sible  countries  in  cyberspace.  Further  research  and  discussion 
will  likely  enable  the  timely  development  of  the  response  frame¬ 
work  for  US  sponsorship  of  sound  global  norms  to  guide  global 
cybersecurity.®  This  will  also  assist  the  US  defense,  diplomatic, 
and  development  communities  in  building  consensus,  leverag¬ 
ing  resources  to  enhance  global  cybersecurity,  and  coordinat¬ 
ing  US  global  outreach  to  those  countries  most  beset  by  cyber 
crime  and  conflict. 


Notes 

(All  notes  appear  in  shortened  form.  For  full  details,  see  the  appropriate 
entiy  in  the  bibliography.) 

1.  Clark  and  Landau,  “The  Problem  Isn’t  Attribution,”  1. 

2.  Technical  attribution  refers  to  “the  ability  to  associate  an  attack  with  a 
responsible  party  through  technical  means  based  on  information  made  avail¬ 
able  by  the  cyber  operation  itself — that  is,  technical  attribution  is  based  on 
clues  available  at  the  scene  (or  scenes)  of  the  operation.”  Lin,  “Escalation 
Dynamics  and  Conflict  Termination  in  Cyberspace,”  49. 

3.  See,  for  example,  Alperovltch,  Revealed;  Grey  Logic,  Project  Grey  Goose 
Report  on  Critical  Irifrastructure;  and  Information  Warfare  Monitor  and  Shad- 
owserver  Foundation,  Shadows  in  the  Cloud. 


xviii 


4.  Healey,  ‘The  Spectrum  of  National  Responsibility  for  Cyber  Attacks”: 
Kanuck,  “Sovereign  Discourse  on  Cyber  Conflict  under  International  Law”; 
Yannakogeorgos  and  Mattice,  Essential  Questions  for  Cyber  Policy. 

5.  Articulated  global  norms  of  behavior  include  UN  General  Assembly 
(UNGA),  “Developments  in  the  Field  of  Information  and  Telecommunications 
in  the  Gontext  of  International  Security,”  preliminary  para. 7;  and  UNGA 
“Gombating  the  Criminal  Misuse  of  Information  Technologies”;  UNGA,  “Gre- 
ation  of  a  Global  Culture  of  Cybersecurity,”  A/RES/57/239,  preliminary 
para.  5.  For  more  on  norms  development  and  the  norms  lifecycle,  see 
Finnemore  and  Sikklnk,  “International  Norm  Dynamics  and  Political  Change”; 
and  Reich  and  Yannakogeorgos,  Global  Norms,  American  Sponsorship  and  the 
Emerging  Pattern  of  World  Politics,  3. 

6.  Ghernouti-Helie,  “A  National  Strategy  for  an  Effective  Cybersecurity 
Approach  and  Culture.” 

7.  Department  of  Defense,  “Operate  Effectively  in  Gyberspace,”  in  Quadren¬ 
nial  Defense  Review  Report,  37-39;  National  Security  GouncU,  National  Security 
Strategy,  27-28;  and  White  House,  International  Strategy  for  Cyberspace. 

8.  National  Security  Council,  Comprehensive  National  Cybersecurity  Initia¬ 
tive;  International  Strategy  for  Cyberspace-,  Department  of  Defense,  Department  of 
Defense  Strategy  for  Operating  in  Cyberspace;  and  Executive  Office  of  the  Presi¬ 
dent,  National  Science  and  Technology  Council,  Trustworthy  Cyberspace,  12. 

9.  National  Security  Council,  Comprehensive  National  Cybersecurity  Initiative. 


XIX 


Chapter  1 


Introduction 

Cyber  conflict  activities  constitute  a  critical  form  of  coercive 
power.  Effects  can  range  from  disruption  to  destruction.  The 
loss  of  electrical  power  for  extended  periods  of  time,  inability  to 
conduct  commerce  due  to  networking  failures,  and  incapacity 
of  military  organizations  to  command  and  control  their  forces 
are  credible  threats.  In  the  past,  the  United  States  has  faced 
adversarial  states  and  violent  nonstate  actors  organized  in  rel¬ 
atively  hierarchical  vertical  structures.  However,  today  the  evo¬ 
lution  of  information  and  communication  technology  (ICT), 
such  as  those  that  make  up  the  Internet,  and  the  intensifica¬ 
tion  of  reliance  on  these  vulnerable  technologies  provide  US 
adversaries  with  the  opportunity  to  organize  themselves  as 
horizontal  networks  with  decentralized  leadership  and  no  clear 
evidence  of  state  control.^  More  often  than  not,  the  framing  of 
the  question  of  who  is  responsible  for  an  attack  focuses  on  the 
individual  actor.  One  expert  notes: 

The  question  is  who  is  responsible  for  these  things,  even  if  you  trace  it 
back  to  China,  is  if  they  are  bored  hackers  or  PLA  [People’s  Liberation 
Army]  members  or  criminals  with  ties  to  the  PLA  or  PLA  divisions  acting 
criminally?  We  don’t  really  know.  1  suspect  that  the  majority  of  the  at¬ 
tacks  and  espionage  on  the  criminal  side  are  by  patriotic  hackers  that 
have  some  sort  of  connection,  maybe  financial,  to  the  PLA  or  the  State 
Security  Ministry.  In  the  cases  of  power  grids  and  other  cases  like  that, 

1  suspect  PLA  affiliation,  but  there  is  no  way  to  know.^ 

The  question  of  attribution — ^what  individual  or  group  ex¬ 
ploited  US  information  systems? — ought  to  become.  Which 
state  did  the  group  operate  from,  and  What  state  did  it  filter  its 
malicious  digital  traffic  through? 

There  has  been  extensive  press  coverage  regarding  Chinese 
involvement  in  cyber  espionage  and  Internet  censorship.  The 
United  States’  policies  for  responding  to  cyber  events  are  still 
being  developed.  Experts  have  noted  that  “a  big  part  of  the 
[Chinese]  strategy  is  the  PLA  civilian  units — IT  [information 
technology]  engineers  drawn  from  universities,  institutes,  and 
corporations.”^  O.  Sami  Saydjari,  a  former  National  Security 


1 


Agency  executive,  has  stated  that  “the  Chinese  People’s  Libera¬ 
tion  Army,  one  of  the  world’s  largest  military  forces,  with  an 
annual  budget  of  $57  billion,  has  ‘tens  of  thousands’  of  train¬ 
ees  launching  attacks  on  U.S.  computer  networks.’’"^ 

This  highlights  the  blurred  lines  between  state  and  nonstate 
actors  who  may  perpetrate  cyber  conflict.  It  is  a  line  that  states 
hide  behind  when  confronted  about  attacks.  Although  these 
trainees  might  not  be  officially  controlled  by  the  Chinese  gov¬ 
ernment,  allowing  the  PLA  to  plausibly  deny  its  involvement  in 
an  attack,  evidence  of  indirect  control  should  be  enough  to 
hold  China  responsible  for  hackers  without  borders  operating 
from  within  China.  Several  recent  studies  of  cyber  espionage 
and  the  publicized  results  of  corporate  investigations  have 
traced  several  attacks  against  the  United  States’  commercial 
infrastructures  to  China  after  malicious  data  was  pivoted 
through  several  servers  around  the  world. ^  Denying  its  official 
involvement,  the  government  of  China  bemoaned  its  fate  as  the 
greatest  victim  of  cyber  crime.® 

A  recent  report  to  Congress  by  the  United  States-China  Eco¬ 
nomic  and  Security  Review  Commission  observed  that  China’s 
“professional  state  sponsored  intelligence  collection  not  only 
targets  a  nation’s  sensitive  national  security  and  policymaking 
information,  it  increasingly  is  being  used  to  collect  economic 
and  competitive  data  to  aid  foreign  businesses  competing  for 
market  share  with  their  U.S.  peers.”  The  same  report  noted 
that  the  Chinese  are  aware  of  the  gaps  in  US  cyber  strategies 
and  may  be  exploiting  “U.S.  policymaking  and  legal  frameworks 
to  create  delays  in  U.S.  command  decision  making.”^  The  major 
flaw  in  US  policy  is  focusing  on  individual  responsibility  for  an 
act  of  cyber  espionage,  crime,  or  conflict.  The  policy  gaps  that 
currently  exist  are  those  of  formulating  response  frameworks 
to  cyber  events  that  do  not  rely  on  a  law  enforcement  para¬ 
digm.  Instead,  I  argue  that  we  need  to  respond  to  states  with 
our  own  mechanisms  of  statecraft  and  hold  states  responsible 
within  varying  degrees  for  attacks  originating  or  transiting 
through  their  territory. 

Attribution  of  cyber  attacks  is  not  an  easy  task.  There  are 
technical  issues  covered  in  chapter  2  which  complicate  identi¬ 
fying  cyber  attackers.  Anonymization  can  occur  when  attacks 
transit  through  several  countries  and  can  even  originate  on 


2 


infected  computers  without  the  knowledge  of  their  owners. 
These  are  known  as  botnets  in  the  popular  press.  A  “hot”  is 
malicious  software  that  can  infect  and  control  a  computer  and 
interactively  respond  to  remote  commands  to  extract,  corrupt, 
or  insert  data  into  each  infected  computer.  Weak  domestic-law- 
enforcement  cybersecurity  capabilities  in  both  developed  and 
developing  nations  create  virtual  safe  havens  from  which  per¬ 
petrators  of  cyber  crime  operate  (either  physically  or  virtually) 
to  spoof  their  true  identity  and  operate  with  near  impunity.  It 
is  this  “spoofing”  that  has  come  to  dominate  the  discussions 
around  response  to  cyber  attack.  Discussed  in  greater  detail  in 
chapter  three,  the  attribution  challenge  arises  from  the  vulner¬ 
abilities  built  into  the  transmission  control  protocol  /  Internet 
protocol  (TCP/IP).  The  IP  version  4  (IPv4),  the  Internet’s  back¬ 
bone  transport  protocol,  makes  it  possible  for  individuals  to 
mask  the  true  location  of  their  persons  and  computers.  Techni¬ 
cal  attribution  is  further  complicated  in  the  nature  of  an  at¬ 
tacks.  Distributed  denial  of  service  attacks  present  different 
challenges  in  determining  their  sources  than  attacks  designed 
to  “exfiltrate”  or  steal  sensitive  or  proprietary  data.  Regardless 
of  attack  type,  the  trend  today  is  for  multistage  and  multijuris- 
dictional  attacks — attacks  infecting  a  lot  of  computers  in  a  lot 
of  places  worldwide. 

The  law  enforcement  paradigm  of  attribution  has  come  to 
dominate  early  cyber  policy  dialogues  about  strategy  and  doc¬ 
trine.  Air  Force  doctrine  for  cyberspace  operations  describes 
the  attribution  problem  in  the  following  terms: 

Perhaps  the  most  challenging  aspect  of  attribution  of  actions  in  cyber¬ 
space  is  connecting  a  cyberspace  actor  or  action  to  an  actual,  real-world 
agent  (be  it  Individual  or  state  actor)  with  sufficient  confidence  and 
verifiability  to  inform  decision-  and  policymakers.  .  .  .  The  nature  of 
cyberspace,  government  policies,  and  international  laws  and  treaties 
make  it  very  difficult  to  determine  the  origin  of  a  cyberspace  attack.  The 
ability  to  hide  the  source  of  an  attack  makes  it  difficult  to  connect  an 
attack  with  an  attacker  within  the  cyberspace  domain.  The  design  of  the 
Internet  lends  itself  to  anonymity.  .  .  .  Nations  can  do  little  to  combat  the 
anonymity  their  adversaries  exploit  in  cyberspace.  .  .  .  Nevertheless, 
nations  have  the  advantage  of  law  and  the  ability  to  modify  the  techno¬ 
logical  environment  by  regulation.® 

The  Air  Force  appears  to  be  following  the  traditional  attribu¬ 
tion  framework  emphasizing  knowing  exactly  who  the  perpe- 


3 


trator  is.  The  result  is  that  eyber  operators  are  being  asked  to 
inform  deeision  and  poliey  makers  with  aeeurate  and  preeise 
evidenee  for  a  serious  response  to  eyber  attaek.®  While  these 
requirements  for  the  eolleetion  of  evidenee  might  be  appropri¬ 
ate  in  a  law  enforeement  eontext,  sueh  standards  of  evidenee 
are  misapplied  in  military  and  strategie  eontexts.  The  state¬ 
ment  of  USAF  doetrine  relating  to  law  and  poliey  modifying  the 
teehnologieal  environment  is  more  pertinent.  However,  laws 
and  regulations  take  time  and  resourees  to  aeeomplish.  Con¬ 
sider  the  deeades-long  proeesses  that  led  to  the  UN  Convention 
on  the  Law  of  the  Sea  in  1982.  Instead,  I  offer  a  paradigm  of 
Ameriean  sponsorship  of  already  established,  yet  embryonie, 
global  norms  of  eyber  behavior  to  faeilitate  the  formation  of  a 
global  eulture  of  eyberseeurity.  Ameriean  sponsorship  would 
enable  enforeement  of  those  norms  and  lessen  the  importanee 
of  knowing  who  the  exaet  perpetrator  of  a  eyber  attaek  is,  if  the 
souree  of  the  attaek  ean  be  traeed  to  a  speeifie  nation-state. 

Teehnologiealfy,  attribution  works  better  than  the  dire  pie- 
ture  presented  in  poliey  might  suggest.  Several  attaeks  earning 
from  within  China  over  the  past  five  years  have  been  publiely 
traeed  to  operators  with  Chinese  eharaeteristies. Further¬ 
more,  several  high-profile  eyber  erime  eases,  sueh  as  the  FBI’s 
multinational  effort  in  Operation  Takedown,  illustrate  the  es¬ 
sentiality  of  international  law  enforeement  eooperation  to  bring 
eriminal  justiee  into  eyberspaee.^^  Sueh  eases  offer  evidenee 
that  individual  perpetrators  ean  be  brought  to  justiee  when 
there  is  solid  international  eooperation.  Countries  and  others 
not  eooperating  in  eyber  investigations  alibi  that  beeause  of 
anonymity  on  the  Internet  they  eannot  traee  eyber  attaekers, 
while  efforts  of  like-minded  nations,  the  United  States  and  the 
United  Kingdom,  have  resulted  in  the  dismantling  of  a  global 
network  of  “anonymous”  haekers.  While  attribution  in  eyber- 
spaee  is  eomplieated,  it  is  not  as  impossible  as  the  mainstream 
view  portrays  it  to  be. 

As  it  stands,  a  nation-state  eannot  solely  assure  its  seeurity 
within  eyberspaee.  The  existenee  of  vulnerabilities  in  the  proto- 
eols,  hardware,  and  software  that  make  up  the  domain,  the 
exploitation  of  these  vulnerabilities,  and  the  faet  that  malieious 
eyber  events  ean  eome  from  anywhere  over  the  Internet  require 


4 


international  cooperation  between  states  to  create  a  global  cul¬ 
ture  of  cybersecurity. 

Due  to  the  vulnerabilities  built  into  the  Internet  protocol, 
individuals  can  disguise  their  identities  with  relative  ease.  At¬ 
tribution  becomes  even  more  complicated  when  the  motivation 
of  attacks  is  considered.  Attack  patterns,  effects,  and  levels  of 
ambiguity  differ  between  criminal,  terrorist,  or  state-sponsored 
cyber  attacks.  These  challenges  can  be  overcome  with  the  es¬ 
tablishment  of  global  cybersecurity  policy. 

The  current  law  enforcement  paradigm  for  attribution  does 
not  offer  a  sound  basis  for  attributing  attacks.  Rather,  nation¬ 
states  should  be  held  culpable  for  the  malicious  actions  and 
other  cyber  threats  originating  in  or  transiting  information  sys¬ 
tems  within  their  borders  or  owned  by  their  registered  corpo¬ 
rate  entities.  This  cannot  be  done  without  clear  and  accepted 
norms  of  responsible  state  behavior  in  cyberspace. 

The  process  of  establishing  these  norms  has  begun  in  fo¬ 
rums  associated  with  the  United  Nations  and  its  International 
Telecommunications  Union  (ITU),  but  the  United  States  is  try¬ 
ing  to  lead  the  development  of  global  cybersecurity  initiatives 
within  other  forums.  Instead,  the  majority  of  nation-states,  in¬ 
cluding  American  allies  and  some  American  partners,  prefer  to 
follow  the  lead  of  Russia  and  China  in  support  of  the  ITU  frame¬ 
works.  The  United  States  should  increase  participation  in  the 
ITU  and  get  behind  the  international  efforts  on  behalf  of  cyber - 
security.  American  sponsorship  of  the  global  norms  coming  out 
of  the  ITU  would  immediately  increase  cooperation  between 
states  to  create  a  more  secure  cyber  ecosystem  and  allay  fears 
of  a  hegemonic  United  States. 

In  201 1,  the  White  House  released  the  International  Strategy 
for  Cyberspace  emphasizing  development,  diplomacy,  and  de¬ 
fense  in  the  US  government’s  vision  on  how  to  secure  cyber¬ 
space.  The  strategy  highlights  the  US  commitment  to  develop¬ 
ment  through  working  to  “play  an  active  role  in  providing  the 
knowledge  and  capacity  to  build  and  secure  new  and  existing 
digital  systems.” This  element  is  important  in  helping  reduce 
the  numbers  of  safe  havens  in  cyberspace  through  which  mali¬ 
cious  actors  initiate  or  transit  their  attacks  through.  Secondly, 
through  diplomacy,  the  United  States  will  strive  “to  create 
incentives  for,  and  build  consensus  around,  an  international 


5 


environment  in  whieh  states — reeognizing  the  intrinsie  value  of 
an  open,  interoperable,  seeure,  and  reliable  eyberspaee — ^work 
together  and  aet  as  responsible  stakeholders.”^^  The  Depart¬ 
ment  of  State  and  the  Federal  Bureau  of  Investigation  both 
have  roles  in  developing  relationships  with  foreign  governments 
so  that  when  a  eyber  attaek  originates  in  or  transits  through 
their  territory,  the  meehanisms  to  respond  and  aet  responsibly 
are  in  plaee.  These  essential  partnerships  are  in  plaee  to  iden¬ 
tify  and  proseeute  eyber  eriminals  and  terrorists.  Diplomaey 
also  offers  a  ehannel  through  whieh  the  United  States  ean  voiee 
its  eoneerns  to  foreign  governments  implieated  in  malieious 
aets  in  eyberspaee.  If  governments  are  not  fortheoming,  more 
eoereive  diplomatie  measures  ean  be  employed  to  stem  mali¬ 
eious  eyber  aetivities.  Finally,  when  all  else  fails,  the  Depart¬ 
ment  of  Defense  has  a  duty  to  “respond  to  hostile  aets  in  eyber¬ 
spaee  as  we  would  to  any  other  threat  to  our  eountry.”^'^  The 
DOD’s  role  is  also  diplomatie  in  that  it  is  to  build  partnerships 
with  foreign  militaries  and,  as  a  last  resort,  defend  the  nation. 
Within  DOD  the  Air  Foree  in  partieular  has  an  important  role 
to  play  in  military-to -military  relations  sinee  the  Air  Foree  sus¬ 
tains  its  leading  edge  in  eyber  over  the  other  sendees  and  its 
aetions,  in  the  view  of  the  rest  of  the  world  matter. 

In  February  2013,  the  United  States  released  the  “Adminis¬ 
tration  Strategy  on  Mitigating  the  Theft  of  U.S.  Trade  Seerets” 
after  reports  of  state-sponsored  espionage  against  US  eorpora- 
tions.^^  Thus,  the  United  States  is  shifting  toward  embraeing  a 
paradigm  of  state  responsibility.  This  publieation  aims  to  in¬ 
form  plausible  direetions  for  this  emergent  strategy.  Sueeess  of 
the  International  Strategy  for  Cyberspace  depends  on  the  United 
States  shifting  from  trying  to  lead  the  world  toward  sponsoring 
the  existing  global  eulture  of  eyberseeurity  that  has  been  orga¬ 
nized  through  the  International  Teleeommunieations  Union. 
This  will  support  the  United  States’  global  engagements  to  seeure 
eyberspaee  while  leading  by  example.  Along  these  lines,  spe- 
eifie  reeommendations  for  US  eyberspaee  development,  diplo¬ 
maey,  and  defense  will  be  presented. 


6 


Notes 


(All  notes  appear  in  shortened  form.  For  full  details,  see  the  appropriate 
entry  in  the  bibliography.) 

1.  Zanini  and  Edwards,  “Networking  of  Terror  in  the  Information  Age.” 

2.  Ungerleider,  ‘The  Chinese  Way  of  Hacking.” 

3.  Onley  and  Wait,  “Red  Storm  Rising.” 

4.  Grow,  Epstein,  and  Tschang,  “The  New  E-Spionage  Threat.” 

5.  Areddy,  “People’s  Republic  of  Hacking.” 

6.  This  can  be  attributed  to  Chinese  interpretations  of  what  a  cyber  crime 
is.  Their  definition  includes  content,  and,  thus,  using  Facebook  to  mount 
Jasmine  revolutions  would  be  considered  a  crime  in  China,  whereas  the 
United  States  considers  such  actions  as  social  networking  enabling  the  de¬ 
velopment  of  democracy  (in  most  cases). 

7.  United  States-Chlna  Economic  and  Security  Review  Commission,  “Oc¬ 
cupying  the  Information  High  Ground.” 

8.  Air  Force  Doctrine  Document  3-12,  Cyberspace  Operations,  10. 

9.  Lipson,  Tracking  and  Tracing  Cyber- Attacks,  3-5. 

10.  See  Alperovitch,  Revealed:  Operation  Shady  RAT,  Grey  Logic,  Project 
Grey  Goose  Report  on  Critical  Infrastructure:  and  Information  Warfare  Monitor 
and  Shadowserver  Foundation,  Shadows  in  the  Cloud. 

11.  Federal  Bureau  of  Investigation,  “Manhattan  U.S.  Attorney  and  FBI 
Assistant  Director  in  Charge  Announce  Additional  Arrests.” 

12.  White  House,  International  Strategy  for  Cyberspace,  Prosperity,  Secu¬ 
rity,  and  Openness  in  a  Networked  World,  14. 

13.  Ibid.,  11. 

14.  Ibid.,  14. 

15.  Mandiant,  Aduanced  Persistent  Threat,  1. 


7 


Chapter  2 


The  Cyber  Environment 

Attribution  of  cyber  events  to  people  or  maehines  is  an  over¬ 
stated  ehallenge.  Every  aetion  in  eyberspaee  has  a  souree  that 
ean  be  identified  if  observers  are  looking.  Experts  have  noted 
that  “the  very  faet  that  one  attempts  to  eonduet  eyber  warfare 
means  that  some  bit  in  some  data  stream  is  ehanged  to  refleet 
one’s  presenee  and  aetions.”^  All  agents  in  the  eyber  world  ean 
be  visible  if  a  worldwide  effort  is  in  plaee  to  monitor  malieious 
traffre  and  to  punish  behaviors  that  fall  outside  that  whieh 
aims  to  use  the  Internet  to  eommunieate  ideas  freely,  open 
pathways  of  eommeree,  or  otherwise  not  infringe  on  the  right  to 
live  free  and  seeure.^  Mu  eh  of  the  diseussion  in  doetrine  and 
poliey  is  foeused  on  the  issue  of  why — ^with  eurrent  network 
topologies — there  are  no  physieal  identifiers  of  eyber  attaek, 
like  a  missile  flash  observable  from  spaee  or  a  radiologieal  fin¬ 
gerprint  indieating  the  origin  of  the  attaek.  The  eonelusion 
reaehed  is  that  ambiguity  is  the  norm  on  the  Internet  and  that 
attribution  is  an  insoluble  teehnieal  problem  with  eurrent  net¬ 
work  protoeols.  In  this  vision  of  the  eyber  environment,  indi¬ 
viduals  or  groups  ean  “spoof’  their  identities  and  the  loeation 
of  their  eomputers  on  the  network.  Many  experts  argue  that 
traeking  eyber  attaekers  in  enough  time  to  respond  appropri¬ 
ately  is  nearly  unaehievable.®  These  views  have  eome  to  domi¬ 
nate  the  poliey  debates  shaping  doetrine,  but  there  are  others 
who  elaim  that  eyber  attribution  is  not  a  teehnieal  ehallenge — 
rather  a  poliey  ehallenge.'^ 

The  hunt  for  pedophiles  and  the  arrest  of  members  of  the  ad 
hoe  eonglomerate  known  as  LulzSee  offer  evidenee  that  indi¬ 
vidual  perpetrators  ean  be  brought  to  justiee  when  there  is 
solid  international  eooperation.  The  arrests  of  members  of  the 
LulzSee  group  seem  to  have  had  a  deterrent  effeet  on  other 
members  of  the  group,  and  the  entire  projeet  was  disbanded 
after  the  high-profile  arrests  were  made.  The  real  problem  in 
attribution  is  for  nation-states  to  beeome  eooperative  and  re¬ 
sponsible  for  the  aetions  of  malieious  aetors  within  their  sover¬ 
eign  eyberspaee. 


9 


This  work  offers  a  framework  for  the  ereation  of  aeeeptable 
levels  of  attribution  for  national  responsibility  aeross  the  do¬ 
main  of  eonfliet  by  shifting  the  paradigm  from  the  individual  to 
the  state.  Within  the  whole-of-government  eontext,  baseline 
standards  of  behavior  and  the  framework  suggested  herein 
would  allow  deeision  makers  to  hold  states  aeeountable  for  ae- 
tions  undertaken  within  their  sovereign  eyberspaee.  While  a 
neeessary  part  of  the  whole-of-soeiety  response  to  eyber  at- 
taeks,  this  is  only  a  small  part  of  the  politieal  reality  of  eyber¬ 
spaee.  The  framework  provides  suggestions  for  development  of 
a  global  eulture  of  eyberseeurity,  diplomatie  responses,  and — 
in  ineidents  of  national  seeurity  signifieanee — military  aetion. 

A  Holistic  View  of  Cyberspace 

It  is  not  the  purpose  of  this  work  to  elaborate  on  eomputer 
networking  and  the  methods  that  individuals  or  groups  may 
use  to  obfuseate  their  identity  on  the  Internet.  Cyberspaee  has 
been  an  influenee  on  international  relations  for  the  final  half  of 
the  last  eentury  and  the  first  deeade  of  the  twenty-first  eentury. 
As  the  eonsequenees  of  events  in  eyberspaee  are  felt  through¬ 
out  soeiety,  national  seeurity  diseussions  will  eenter  on  how  to 
seeure  this  new  domain.  However,  these  eonsiderations  tend  to 
foeus  on  the  man-made  elements  of  the  eyber  domain.  While 
there  is  no  argument  against  the  man-made  elements  of  eyber¬ 
spaee,  foeusing  too  mueh  on  teehnology  ereates  eoneeptual 
hazards  that  eloud  poliey  diseussions.^  The  following  diseus- 
sion  aims  to  bring  elarity  to  the  attribution  problem  by  foeus¬ 
ing  on  the  physieal,  logieal,  information,  and  human  elements 
of  eyberspaee  rather  than  just  eomputer  eode  (fig.  1). 

One  reason  for  the  eurrent  interest  in  teehnieal  attribution  is 
emphasis  on  the  logieal  versus  the  physieal  layers  that  eom- 
pose  eyberspaee.  For  example.  Air  Foree  eyberspaee  operations 
doetrine  states  that  “eyberspaee  is  a  man-made  domain,  and  is 
therefore  unlike  the  natural  domains  of  air,  land  and  mari¬ 
time.”®  This  approaeh  ereates  an  aura  of  eyberspaee  as  solely  a 
virtual  domain,  divoreing  it  from  the  real  world.  Although  the 
physieal  elements  of  eyberspaee  are  noted  within  the  Air  Foree’s 
definition,  they  are  largely  seeondary  to  the  protoeols  and  eom¬ 
puter  language  through  whieh  digital  eommunieations  oeeur. 


10 


c 

(D 

E 

3 

I 


(Position,  extent,  configuration, 
number,  and  character 


|l 

II 


Dynamic  Information 

Static  Information 

Music,  videos,  sensor  data,  metadata 


NetworkTopoloqies 

Fixed  function  and  closed:  air  traffic  control. 
Secret  Internet  Protocol  Router,  Joint 
Worldwide  Intelligence  Communications  System 
Multiple  function  and  open:  Internet 


Complex  Services 
Databases  +  web  =  active  objects, 
social  networks.  Voice  over  Internet 
Protocol  Telephony 


Applications 

Word  processor,  databases.  World  Wide  Web 
Low-Level  Services 

Execution  environments,  data  transport 
(Transmission  Control  Protocol/Internet  Protocol), 
standards  for  data  formats 


■—  Wires,  fiber  optics,  radio  waves,  servers,  routers,  data 
^  centers,  supercomputers,  quantum  computers,  sensor  grids, 
Q-  quantum  communications  channels 


Figure  1.  Characteristics-based  model  of  cyberspace.  (Based  on  David 
Clark,  “Characterizing  Cyberspace:  Past,  Present  and  Future,”  working  paper, 
version  1.2,  12  March  2010,  http://web.mit.edu/ecir/pdf/clark-cyberspace.pdf.) 


There  are  in  faet  no  purposes  for  eyberspaee  but  to  serve  hu¬ 
man  operators  and  to  ereate  effeets  in  the  physieal  world.  Fix¬ 
ating  on  teehnology  to  the  detriment  of  other  eharaeteristies 
that  eompose  the  eyber  environment  ereates  the  impression 
that  eyber  is  not  that  eonneeted  to  the  real  world.  Refining  the 
eoneeptualization  of  eyberspaee  allows  for  its  demystifieation 
and  eloser  alignment  within  the  physieal  world. ^  Aehieving  this 
goal  requires  looking  at  eyberspaee  as  a  eomplex  eeosystem 
eomposed  of  human  operators  ranging  from  the  easual  Inter¬ 
net  user  to  the  information  warrior;  the  aetual  information  that 
is  stored,  transmitted,  and  transformed;  the  eomputer  eode 
and  protoeols;  and  the  physieal  elements  on  whieh  the  logieal 
elements  reside.® 


11 


The  human  and  physical  aspects  are  just  as  important  as 
the  logical  elements  of  cyberspace.  Data  and  information  are 
not  transported  in  a  virtual  ether  divorced  from  the  laws  of 
physics,  space,  and  time.  Rather,  data  and  information  travel 
through  physical  infrastructures,  such  as  undersea  cables, 
and  reside  on  digital  storage  devices  operated  by  people  who 
are  within  the  boundaries  of  a  state’s  sovereign  territory.  The 
software  and  hardware  companies,  whose  poorly  coded  or 
manufactured  products  are  at  the  root  of  vulnerabilities,  could 
be  held  responsible  with  regulations.  People  and  computer  systems 
responsible  for  cyber  attacks  could  be  made  accountable  to  the 
laws  of  a  state.  And  it  could  be  possible  to  hold  states  liable  for 
malicious  cyber  attacks  based  in  their  territory.^  An  unintended 
result  of  such  an  approach  would  be  bringing  clarity  to  the 
DOD  discussions  regarding  the  combatant  command  respon¬ 
sible  for  dealing  with  cyber  attacks. 


Modern  Botnets 

Botnets  are  good  examples  of  multistage,  multijurisdic- 
tional  attacks.  A  “botnet”  is  a  remotely  controlled  network.  It 
can  be  used  for  sending  spam,  stealing  money  from  bank 
accounts,  denial  of  service  attacks,  and  so  forth.  Botnets 
require  a  command  and  control  (C2)  server,  hacker  machine, 
and  victim  machines  (drones).  Botmasters  target  individuals 
specifically  or  randomly  depending  on  the  effect  they  wish  to 
achieve.  Malicious  code  is  sent  by  e-mail  or  embedded  in  a 
website  waiting  for  the  victim  to  download  an  attachment  or 
click  a  link.  Once  infected  the  victim’s  computer  becomes  a 
drone  in  the  botmaster’s  network.  The  drone  pings  the  C2 
server  and  receives  instructions.  The  botmaster  on  his  end 
instructs  the  drone  how  to  behave  and  maintains  the  soft¬ 
ware  on  the  C2  server  to  keep  it  up  to  date  so  that  he  has  the 
latest  tools  available.  Botnets  can  include  from  tens  to 
hundreds  of  thousands  of  hots. 


All  of  the  elements  of  cyberspace  in  the  model  have  a  role  to 
play  in  resolution  of  the  attribution  challenge  despite  the  Internet’s 


12 


ambiguity.  The  vulnerability  of  the  data  transport  protoeols, 
sueh  as  TCP/IP  and  media  aeeess  eontrol  (MAC)  addresses,  to 
spoofing  attaeks  is  at  the  root  of  the  attribution  problem. 
While  barriers  to  spoofing  might  be  raised  by  the  deployment 
of  IP  version  6  {IPv6),  a  determined  adversary  would  not  be 
deterred.  Attributing  information  in  a  eyber  attaek  within  a 
parti eular  nation-state  eould  be  found  in  other  layers.  At  the 
logieal  level,  metadata  might  exist  within  files  used  to  exeeute 
an  attaek.  The  databases  to  whieh  information  is  exfiltrated 
or  the  servers  used  to  eommand  a  botnet  might  also  provide 
elues  and  a  trail  baek  to  the  attaeker’s  host  eountry. 

Multistage,  Multijurisdictional  Attacks 

Understanding  network  behavior  requires  examining  relations 
among  network  events  (fig.  2).  The  teehnologieal  issues  related 
to  TCP/IP  outlined  above  are  only  part  of  the  attribution  prob¬ 
lem.  Attribution  is  lypieally  thought  of  as  the  abilify  to  traee  at¬ 
taeks  baek  to  attaekers.  Being  able  to  do  so  allows  an  appro¬ 
priate  response  to  the  attaek  via  law  enforeement  or  military 
aetion.^^  If  attaekers  knew  that  their  aetions  eould  be  aeeurately 
traeed,  attaeks  eould  be  deterred.  Solving  the  teehnieal  attribu¬ 
tion  ehallenge  by  implementing  new  methodologies  and  teeh- 
niques  is  widely  seen  as  the  way  forward  toward  responding  to 
cyber  attacks.  This  can  be  seen  in  the  pressure  to  deploy  the 
upgraded  IPv6  that  has  been  in  the  works  since  1998.^^ 

Although  strengthening  network  protocols  is  desirable,  the 
respected  cyber  experts  David  Clark  and  Susan  Landau  have 
suggested  that  “better  attribution  techniques  will  neither  solve 
nor  prevent”  the  complex  multistage,  multijurisdictional  nature 
of  computer  exploitations  occurring  today. It  is  not  the  pur¬ 
pose  here  to  delve  into  the  intricacies  of  methods  and  tech¬ 
niques  to  technically  attribute  attacks.  It  is  noteworthy  that  the 
multistage  and  cross-jurisdictional  characteristics  of  cyber  at¬ 
tacks  determine  the  complexity  of  determining  the  sources  of 
attacks.  These  factors  highlight  that  gaps  in  international  co¬ 
operation  actually  lie  at  the  core  of  the  attribution  dilemma. 


13 


Ghastzia 


West  Anryms 


Farlandia 


United  States 


♦  Attacker  writes  and 

•  Computers  captured 

sends  code  to 

by  code,  form  C2 

penetrate 

hub  of  botnet. 

computers  to 

Spread  code  further 

propagate  bots. 

afield. 

•  Objective  is 

•  Country  selected 

espionage. 

due  to  weak 

•  Government 

standoffish  to 

technical  capacity 
of  law  enforcement 

information 

and  hostile  record 

requests  postattack 

with  target 

while  publicly 
claiming  it  is 
investigating. 

country. 

Figure  2.  Outline  of  a  hypothetical  multistage,  cross-jurisdictional  attack 
launched  for  the  purpose  of  data  exfiltration 


Spoofing  Machines  to  Mask  Geography 

Very  few  people  are  eapable  of  designing  sophistieated  Stuxnet- 
like  targeted  eyber  weapons.  However,  the  eapabflities  to  mount 
less  sophistieated  exploits  of  vulnerabilities,  sueh  as  spooling  a 
maehine’s  loeation,  have  a  mueh  lower  eost  of  entry.  This  is  due 
to  the  inherent  weakness  of  the  network  protoeols  and  the  avail¬ 
ability  of  anon}miizing  tools.  A  brief  deseription  of  Internet  proto¬ 
eols  as  well  as  anon}miizing  tools  is  provided  below. 

Computer  networks  are  dependent  on  the  use  of  internationally 
standardized  eommunieations  protoeols,  known  as  TCP/IP,  to 
send  and  reeeive  data  paekets  and  information.^^ TCP/IP  allows 
for  the  flow  of  data  paekets  and  information  aeross  eomputer 
networks.  For  example,  maehtnes  identify  eaeh  other  on  the 
Internet  through  IP  and  MAC  addresses.  Designed  and  de¬ 
ployed  for  military  and  researeh  purposes  in  the  late  1960s,  IP 
was  not  intended  to  funetion  as  the  baekbone  of  the  global 
projeet  that  beeame  the  Internet.  Approved  in  1982  as  the 
standard  protoeol  for  military  eomputer  network  eommuniea¬ 
tions,  the  protoeol  was  designed  to  allow  for  data  paekets  to  be 
sent  aeross  a  eomputer  network  in  the  most  effieient  way  the 


14 


network  deemed  possible  at  a  given  time.  The  reasoning  was 
that  in  the  aftermath  of  a  nuelear  war,  hierarehieal  networks 
would  likely  have  had  nodes  eritieal  to  relaying  data  vaporized, 
and  what  was  required  was  a  nonhierarehieal  network  strue- 
ture  that  eould  reroute  data-paekets  in  an  uneorrupted  manner 
from  point  A  to  B  via  other  pathways.  The  ability  to  traek  and 
traee  user  behavior  in  a  high-threat  eomputing  environment 
was  not  built  into  eommunieations  protoeols  beeause  they  were 
intended  for  use  within  a  trusted  military  environment.^^  Yet  it 
is  this  foundational  protoeol  that  other  networks  began  to  build 
out  from,  eventually  morphing  into  the  National  Seienee  Foun¬ 
dation  Network  and  the  Internet.  Aeeording  to  Internet  expert 
Tom  Leighton,  the  Domain  Name  System  (DNS),  ports,  and  IP 
address  systems  are  plagued  by  flaws  that  “imperil  more  than 
individuals  and  eommereial  institutions.  Seeure  installations 
in  the  government  and  military  ean  be  eompromised”  as  well. 
Consequently,  the  eurrent  flaws  in  the  network  arehiteeture  of 
the  Internet  are  a  result  of  relying  on  protoeols  that  were  built 
35  years  ago  when  the  Internet  was  not  a  global  entity  but  a 
elosed  researeh  network.  When  it  did  beeome  global,  there  was 
no  shift  to  ereate  stronger  seeurity  meehanisms. 

To  better  understand  the  funetioning  of  TCP/IP,  a  brief  de- 
seription  of  how  information  is  sent  aeross  networks  is  neees- 
sary.  Data  paekets  are  the  basie  units  of  network  traffie.  They 
are  the  standard  way  of  dividing  information  into  smaller  units 
when  sending  information  over  a  network.  A  signifieant  eompo- 
nent  of  the  eomputer  networks  is  the  IP  header,  whieh  eontains 
information  pertaining  to  the  souree  and  destination  addresses. 
Maehines  require  these  strings  of  numbers  to  eonneet  with 
other  eomputers  on  the  Internet  or  other  networks.^®  All  net¬ 
worked  hardware  must  have  a  valid  IP  and  MAC  address  to 
funetion  on  a  network.  Data  paekets  are  reereated  by  the  re- 
eeiving  maehine  based  on  information  within  a  header  of  eaeh 
paeket  that  tells  the  reeeiving  eomputer  how  to  reereate  the 
information  from  the  paeket  data.  Without  international  stan¬ 
dards,  sueh  as  TCP/IP,  there  would  be  no  assuranee  that  paekets 
eould  be  read  by  a  reeeiving  maehine.^® 

Manipulating  TCP/IP  to  spoof  identities  has  beeome  very 
eommon  in  eyberspaee.  In  the  past,  a  signifieant  understand¬ 
ing  of  networking  was  required  to  spoof  one’s  IP  address.  Over 


15 


the  past  15  years,  tools  anonymizing  Internet  aetivities  have 
proliferated.  “Onion  routing”  of  networks  allows  for  the  mask¬ 
ing  of  a  data  paeket’s  point  of  origin.  Aetivists  may  enter  the 
Internet  from  unseeured  wireless  or  “Wi-Fi”  networks  and 
eybereafes  or  dial  into  Internet  sendee  providers  (ISP)  all  over 
the  planet  to  hide  their  identity  from  the  prying  eyes  of  govern¬ 
ment  eensors.  Malieious  aetors  ean  propagate  hots  to  serve  as 
proxies  for  eyber  attaeks.  Aetors  might  spoof  IP  addresses  to 
injeet  malieious  data  into  eritieal  infrastruetures,  eommit 
fraud,  or  bypass  authorities.^^ 

These  kinds  of  spoofing  attaeks  are  the  erux  of  the  attribu¬ 
tion  ehallenge.  Masking  one’s  loeation  on  the  Internet  destroys 
trust  in  identity  and  seeurity  in  eyberspaee.  An  individual  may 
manipulate  various  layers  of  the  TCP/IP  protoeol  to  ereate  a 
false  appearanee  of  a  user,  a  deviee,  or  even  a  website.  With  the 
global  nature  of  the  Internet,  it  is  possible  for  malieious  aetors 
to  make  their  eomputers  appear  to  be  in  others.  This  teehnique 
allows  skilled  attaekers  to  thwart  eyber  erime  investigations. 
Dorothy  Denning  aptly  states  that  to  “traee  an  intruder,  the 
investigator  must  get  the  eooperation  of  every  system  adminis¬ 
trator  and  network  sendee  provider  on  the  path.”^^  This  is  the 
basis  of  the  attribution  problem,  but  it  would  not  be  an  impos¬ 
sible  ehallenge  with  the  appropriate  global  eyber  polieies  hold¬ 
ing  states  eulpable  for  malieious  eyber  aetivities  in  plaee. 

While  the  ability  to  spoof  one’s  loeation  is  a  eritieal  element 
of  a  eyber  erime,  eyber  espionage,  or  eyber  sabotage,  the  De¬ 
partment  of  State  (DOS)  is  developing  tools  that  utilize  these 
same  vulnerabilities  in  IP  and  network  design  to  promote  free¬ 
dom  of  speeeh  in  elosed  regimes  via  the  Internet.  Sueh  efforts 
eomplieate  the  attribution  of  eyber  attaeks  sinee  people  are  ae- 
tively  trained  to  anonymize  their  Internet  aetivities.  Prospeets 
for  international  eooperation  are  also  dampened  beeause  some 
elosed  regimes  view  breaehing  of  eensor  systems  as  eyber  war¬ 
fare  and  might  not  be  fortheoming  with  information  during  eyber 
attaek  investigations  of  interest  to  the  United  States. 

The  Onion  Router  (TOR)  is  one  example  of  sueh  a  software 
(fig.  3).  It  is  a  distributed  anonymous  network  of  proxy  servers 
eonneeted  by  virtual  enerypted  tunnels  that  allows  anonymous 
eommunieations.  A  eomputer  linked  to  a  TOR  network  trans¬ 
mitting  data  sends  the  data  through  a  series  of  randomly 


16 


How  TOR  Works 


Alice 


Figure  3.  How  TOR  works 

selected  proxy  servers  that  strip  away  one  layer  of  encryption 
along  with  the  IP  identification  information.  The  IP  information 
is  replaced  and  the  data  is  sent  off  to  another  proxy  server  to 
repeat  the  same  process  before  connecting  to  another  server  for 
final  distribution  of  the  information.  The  effect  is  that  observers 
of  the  network  traffic  on  any  of  the  proxy  servers  will  neither  be 
able  to  discern  the  true  location  of  the  point  of  origin  nor  be 
able  to  tell  what  the  destination  of  the  data  is,  unless  the  ob¬ 
server  can  see  the  final  transmission  point.  An  observer  at  the 
destination  point  will  not  know  where  the  data  is  really  coming 
from  as  only  the  location  of  the  last  proxy  server  can  be  detected. 
In  this  way  a  network  address  is  masked — there  is  no  direct 
link  between  the  data  packet’s  point  of  origin  and  final  destina¬ 
tion.  However,  an  observer  operating  the  TOR  server  node  prior 
to  the  final  connection  might  be  able  to  detect  digital  artifacts 
within  the  network  traffic  providing  clues  to  the  user’s  identity 
and  location.  While  TOR  certainly  complicates  attribution  ef¬ 
forts,  weaknesses  exist  that  can  be  exploited  to  identify  machines 
or  persons  on  the  Internet. 

Cyberspace  is  a  dynamic  environment  where  no  defense  will 
be  perfect.  Moreover,  if  targeting  a  specific  network  proves  too 
difficult,  indirect  attacks  taking  out  its  supporting  systems 
might  prove  just  as  effective. 


17 


Responding  to  any  cyber  incident  requires  knowing  the 
answers,  within  acceptable  levels,  to  the  following  questions: 
Who  is  the  threat  agent?  What  motivated  the  agent  and  what 
were  his  objectives?  What  methods  and  techniques  were  used? 
What  were  the  causes  of  the  effect?  Which  services  were  affected? 
What  impact  did  the  event  have?^^ 

The  ecosystem  where  cyber  attacks  occur  is  not  isolated  from 
the  real  world.  Real  people  are  programming  computers  in  spe¬ 
cific  places  to  send  signals  to  other  computers  to  cause  effects 
in  the  “real”  world.  These  signals  can  transit  multiple  countries 
to  get  to  their  target.  Attacks  occur  only  if  there  are  attackers, 
facilitators,  defenders,  and  targets.  One  could  argue  that  cer¬ 
tain  cyber  infrastructures,  such  as  satellites  or  undersea  cables 
through  which  Internet  traffic  flows,  are  not  located  within 
national  jurisdictions.  However,  even  these  are  operated  by 
entities  that  are  registered  within  the  jurisdiction  of  a  sover¬ 
eign  state.  Understanding  the  actors  involved  in  the  progres¬ 
sion  of  a  multistage,  multijurisdictional  cyber  attack  highlights 
the  importance  of  rapid  international  cooperation  to  resolve 
the  cyber  attribution  challenge.  Components  of  cyber  attacks 
include  the  attackers,  defenders,  knowing  or  unwitting  facilita¬ 
tors,  and  the  targets. 

While  the  exploitation  of  vulnerabilities  within  information 
systems  poses  a  threat,  not  all  of  these  attacks  threaten  national 
securify.  Mounting  a  complex  attack  with  effects  of  national  sig¬ 
nificance  while  preventing  event  attribution  would  require  spe¬ 
cialized  capabilities  (fig.  4).  These  would  include  (1)  expert-level 
programming  and  cryptographic  skills,  (2)  detailed  knowledge 
of  industrial  control  systems,  (3)  mastery  of  multiple  open  and 
closed  operating  systems,  and  (4)  detailed  knowledge  of  tele¬ 
communications  and  legal  regimes. 

Attack  Agents 

Attack  agents  can  be  states,  substate  actors  such  as  Chinese 
privateer  hackers  or  Romanian  computer  criminals,  regional  or 
global  organizations  such  as  the  Russian  Business  Network, 
ad  hoc  networks  such  as  LulzSec  or  Anonymous,  malicious 
individuals  such  as  Kevin  Mitnick  before  his  reeducation,  or  a 
nefarious  insider  (fig.  5). 


18 


Actors  and  activities  necessary  for  a  multistage  multi- 
jurisdictional  cyber  event 


Threat  Actor  Enabling  Conditions 


>  Expert-level  programming  skills 
Complex  >  Detailed  knowledge  of  irtdustrial  control 
Threat  Actor  systems 

Capabilities  ^  Mastery  of  multiple  operating  systems 

>  Detailed  knowledge  of  telecommunications 
and  legal  regimes 


Facilitating  Conditions  for  Anonymity 


>■  Lack  of  legal  authorities  to  prosecute  cyber  criminals  or  for  minimum 

standards  in  data  retention 

Weak  National 

Cyber  Policies  ^  Networks  and  processes  of  international  cooperation  absent 
►  Lack  of  international  cooperation  through  a  24/7 

point  of  contact 


Target  and  Events 


>■  Individual  computers  targeted:  event  is  botnet  propagation  for 
financial  ftaud  or  DDoS 

►  Web  servers  targeted:  event  is  hactivism  or  disruption  of  service 
>■  Industrial  control  systems  targeted  :  event  results  in  sabotage  and 

widespread  destruction 


Figure  4.  Some  necessary  conditions  for  cyber  attacks:  a  hoiistic  set  of 
actors  and  activities  required  for  an  anonymized  cyber  attack 


P4 

o 

PM 


Widespread 

Destruction 


Identity 

Theft 


Figure  5.  Attack  agents  and  capabiiities 


Motivating  factors  for  an  attack  are  also  important  when 
gauging  the  attaek  agent’s  intention,  be  it  identity  theft,  espio¬ 
nage,  botnet  propagation,  extortion,  sabotage,  or  widespread 
destruetion  (table  1).  The  first  four  of  these  often  indieate  eeo- 
nomie  ineentives  where  the  perpetrator  of  an  attaek  judged 
that  an  investment  of  time  and  other  resourees  would  bring 
about  a  higher  payoff.  Sueh  eyber  events  are  possible  on  net¬ 
works  sueh  as  the  Internet  that  are  used  for  eommereial  pur¬ 
poses.  The  final  two  indieate  more  malieious  intent.  Sabotage 
and  widespread  damage  would  oeeur  only  if  eritieal  finaneial 
networks,  industrial  eontrol  systems  (ICS),  embedded  systems, 
or  military  networks  were  targeted  by  malieious  adversaries. 
The  level  of  skill  and  finaneial  resourees  required  for  sueh  at- 
taeks  is  signifieant  and,  as  of  this  writing,  outside  of  the  eapa- 
bilities  of  violent  nonstate  aetors.  Cyber  events  of  national  sig- 
nifieanee  are  those  that  result  in  extensive  damage  to  eritieal 
infrastrueture  or  key  assets. 


Table  1.  Motivating  factors  and  targeted  infrastructures 


Motivating  Factor 

Targeted  Cyber  Infrastructure 

identity  theft 

Open,  Multifunction  Networks 

Espionage 

Zombie  propagation 

Extortion 

Internet,  social  media,  mobile  application  markets, 
platforms  as  service,  software  as  service 

Sabotage 

Widespread  destruction 

Closed,  Fixed-Function  Networks 

Industrial  control  systems,  exchange  trading 
system,  Society  for  Worldwide  Interbank  Finan¬ 
cial  Telecommunication  (SWIFT),  military  com¬ 
mand,  control,  and  logistics  networks,  embed¬ 
ded  systems 

The  goals  and  objeetives  of  an  attaek  inelude  information  eor- 
ruption,  fabrieation,  destruetion,  diselosure,  or  diseovery.  System 
subversion  or  disruption  ean  be  additional  goals.  Cyber  events 
oeeur  by  system  or  protoeol  eompromise,  resouree  exhaustion, 
hardware  failure,  or  software  erashes.  The  teehniques  for  these 
objeetives  inelude  the  targeted  exploitation  of  system,  soeial,  or 
protoeol  vulnerability.  Overload  of  network  or  system  resourees 
and  the  autonomous  self-propagation  of  malware  are  other  teeh¬ 
niques  used.  Figure  6  shows  a  speetrum  of  eyber  eonfliet. 


20 


Death,  destruction,  serious 
injury 

Damage  or  injury 

Damage/destroy  critical 
government  systems 

Damage/destroy  critical 
private  systems 

Damage/destroy  noncritical 
government  systems 

Degrade/disrupt  private 
critical  systems 

Degrade/disrupt  noncritical 
government  systems 

Disable  private  noncritical 
systems 

Degrade/disrupt  private 
noncritical  systems 

Change/delete  files  to 
conceal  access 

Installing  implants 
for  persistent  access 

Unauthorized  access 

TRACE  ROUTE  and 
network  mapping 

Port  scanning 

Normal  web  traffic  and 
analysis:  HTTP  GET 

Figure  6.  Spectrum  of  cyber  conflict.  (Courtesy  of  US  Cyber  Command, 
Judge  Advocate) 


Targets  and  Effects 

Social  engineering  eampaigns  target  people  to  exploit  trust 
relationships  among  eomputer  users.  The  reeent  data  breaeh 
at  the  data  seeurity  firm  RSA  is  one  example  of  how  teehnieally 
profieient  and  seeurity-minded  employees  ean  be  soeially  engi¬ 
neered  with  a  malieious  e-mail  message.  Other  soeial  engineer¬ 
ing  targets  ean  inelude  eritieal  infrastruetures  and  finaneial 
networks.  The  effeets  of  a  eyber-related  event  depend  on  the 
perpetrator’s  motivation  for  launehing  the  attaek.  Conse- 
quenees  of  eyber  events  ean  be  either  diserete  and  finite  or 
advaneed  and  persistent.  An  example  of  a  diserete,  finite  event 
is  an  attempt  to  degrade  the  operation  of  eritieal  infrastrueture 
by  attaeking  an  ICS,  a  supervisory  eontrol  and  data  aequisition 
(SCAD A)  system  for  example.  Advaneed,  persistent  threats  are 
linked  with  espionage  and  eriminal  aetivities  that  aim  to  eolleet 
as  mueh  information  about  the  funetioning  of  a  system  as  pos¬ 
sible.  Figure  7  is  a  speetrum  of  the  kinds  of  operations  that  are 
possible  and  the  effeet  they  might  have  on  targeted  systems. 

Effeets  are  observed  either  as  the  result  of  a  eyber  disruption 
within  a  sendee  or  a  easeading  disruption  of  another  sendee 
that  the  targeted  system  depends  on.  The  sendees  affeeted 
eould  inelude  the  seetors  of  energy,  teleeommunieations,  fi- 
nanee,  water  supply,  health  eare,  transportation,  law  enforee- 
ment,  fire  and  emergeney  response,  government  administra¬ 
tion,  shipping,  agrieulture,  eommereial  faeilities,  and  eritieal 
manufaeturing.  The  impaet  of  the  event  eould  harm  eeonomies, 
populations,  or  even  national  seeurity. 

The  motivating  faetors  also  play  a  role  in  the  response.  The 
severity  of  a  eyber  attaek  will  determine  whether  a  response 
will  eross  over  the  national  defense  threshold.  Unlike  eriminal 
attaeks,  whieh  usually  involve  widespread  and  indiseriminant 
targeting  to  obtain  maximum  profit  from  vietims,  eyber  weapons 
are  more  foeused.  It  has  been  noted  that 

a  cyberweapon  might  attack  a  particular  country,  a  type  of  service  (e.g., 
electrical  grid  or  water  system),  or  systems  used  by  a  certain  political, 
ethnic  or  religious  persuasion.  Both  the  Georgia  and  Stuxnet  attacks 
employed  moderately  focused  targeting  (Insufflclently  focused  accord¬ 
ing  to  critics) .  However,  potential  vulnerabilities  and  attack  vectors  will 
not  correlate  much  with  targets  and  there  must  be  significant  testing. 
This  complicates  the  job  of  the  attacker  and  requires  additional  tools 


22 


Spectrum  of  Cyber  Operations 


.  a>  ^  c 
^  U  fC  o  o 

j;  m  ^  S 

<  ^  s  “■ 

^  fC  ^  o 
2  ■-  2 
^  ij  Q.  S' 

>  i'  O 

VJ  Q_  C 


C 

o 


fC 

E 


>N 

D 

'E' 


c 

Q.  E 

3  y- 

i.  O 

“  § 
O  o 
». 

01  OJ 

U  ^ 

D 

o; 

c 


>N  O 
O) 

s  ^ 

O  fC 


c  ^ 
E  -a 


c 

.D 


>N 

_c 

Q. 


C  ^ 

c 

o  c 

03 

cu 

Q. 

E 

>v 

^  c 

_c 

o  - 

■M 

fO 

</) 

fC 

cu 

.t; 

A-J 

OJ 

cn 

</) 

a  Q 

03 

<  • 

CD 

4—* 

CO 

o 

o 

> 

■D 

< 

CD 

O) 

■D 


■D 

C 

CO 

E 

E 

o 

O 

CD 

>, 

o 

U) 

3 


>, 

CD 

CD 


O 

o 

0) 

c 

o 

'i3 

(0 

o 

a 

o 

0) 

A 

> 

u 

H— 

o 

E 

3 


U 

o 

a 

(/} 

N 

£ 

3 

O) 


beyond  those  used  in  purely  criminal  endeavors.  We  can  use  this  differ¬ 
ence  to  our  advantage  in  detecting  cyberweapons  development.^^ 

For  military  purposes,  tracing  the  source  of  cyber  attacks 
might  not  be  as  difficult  as  often  thought.  Cyber -weapon  test¬ 
ing  activity  may  be  spotted  “in  the  wild”  (on  computers  in  day- 
to-day  operations,  outside  of  laboratories  and  research  facili¬ 
ties)  before  an  actual  attack.  Thus,  observers  can  compile  an 
attack  signature  database  much  like  we  have  for  identifying 
aircraft  radar  signatures. 

Criminals  and  cyber  warriors  will  target  institutions  regard¬ 
less  of  whether  there  is  a  way  to  do  it  in  cyberspace.  Many  argue 
the  cost  of  entry  is  low  in  cyberspace  since  it  is  relatively  simple 
to  digitally  rob  a  bank;  disrupt  a  hospital’s  heating,  ventilation, 
and  air  conditioning  system;  or  release  the  floodgates  of  a  dam. 
The  significantly  fewer  resources  required  for  a  cyber  attack 
have  less  to  do  with  the  nature  of  the  domain  and  more  with  its 
poor  technological  development,  design,  and  implementation. 
Software  developers,  hardware  manufacturers,  and  network 
providers  face  no  liability  or  responsibility  for  the  systems  they 
produce  or  operate.  As  a  result,  there  is  no  incentive  to  deliver 
secure  products  to  the  marketplace.  This  risk  will  be  increas¬ 
ingly  manifested  as  cloud  computing  takes  hold  and  as  the  re¬ 
sulting  breaches  destroy  multiple  companies  rather  than  single 
firms. Thus,  global  policy  responses  are  needed  for  international 
cooperation  and  to  incentivize  security  in  the  private  sector. 

Facilitators 

Attack  agents,  especially  those  motivated  by  economic  gains, 
will  try  to  mask  their  identities  and  avoid  prosecution.  They 
will  seek  out  places  where  governance  and  policy  conditions 
facilitate  masking  their  identities.  Nation-states  without  tech¬ 
nical  capabilities  for  preventing  attacks  or  not  practicing  due 
diligence  in  enforcing  laws  to  prosecute  attackers  could  be  con¬ 
sidered  facilitators  of  cyber  attacks.  Complex  attack  agents  will 
likely  have  thorough  knowledge  of  telecommunications  and  legal 
jurisdictions,  allowing  them  to  route  an  attack  through  coun¬ 
tries  lacking  abilities  to  prosecute  cyber  criminals  or  standards 
for  internet  service  providers  to  retain  data  logs  that  could  as¬ 
sist  in  law  enforcement  investigations.  Countries  without 
means  of  international  cooperation,  such  as  a  24/7  point  of 


24 


contact  like  a  national  computer  emergeney  readiness  team 
(CERT),  deseribed  in  detail  as  a  defender  of  eyberspaees  below, 
should  also  be  eonsidered  as  eyber  attaek  faeilitators.  Inaetion 
of  national  governments  to  organize  their  domestie  resourees  to 
eombat  eyber  erime  results  in  havens  for  malieious  eyber  agents. 
Other  faeilitating  aetions  would  inelude  a  refusal  to  respond  to 
requests  for  eooperation  in  responding  to  eyber  attaeks. 

Faeilitators  ean  also  inelude  unwitting  individual  users 
whose  eomputers  have  been  infeeted  with  malieious  eode,  al¬ 
lowing  them  to  be  remotely  eontrolled  by  malieious  agents. 
These  situations  often  arise  simply  from  users’  laek  of  eyber 
threat  awareness,  training,  and  edueation. 

Software  eompanies,  mobile  applieation  developers  and  dis¬ 
tributors,  and  suppliers  of  hardware  ean  beeome  faeilitators  in 
the  produetion  of  the  physieal  and  logieal  eomponents  of  eyber - 
spaee.  Hardware  supply  ehains  have  been  found  to  be  infeeted 
with  malieious  logie  from  manufaeturlng  sourees  outside  of  the 
United  States.  Software  eompanies,  eoneerned  with  their  finan- 
eial  reports,  push  produets  onto  the  market  before  fully  testing 
them  for  seeurity.  In  faet,  many  of  their  programmers  are  not 
trained  to  write  seeure  eode.  The  eontinuing  use  of  Java  and  C# 
to  develop  software  weakens  applieation  seeurliy  and  eontrlb- 
utes  most  of  the  vulnerabilities  eurrently  being  exploited.  More 
seeure  languages  sueh  as  the  Java  Server  Pages  (JSP)  or  the  Ae- 
tive  Server  Pages  (ASP)  and  more  seeure  eoding  praetiees  must 
be  eneouraged.  This  might  be  done  by  automating  seeure  eoding 
praetiees  and  using  more  seeure  eoding  languages,  requiring  in¬ 
vestments  in  seeure  teehnologieal  development  programs,  and 
institutionalizing  software  seeurity  praetiees. 

One  example  of  vulnerabilities  introdueed  by  software  eom¬ 
panies  ean  be  seen  in  Mierosoft’s  experienee  with  China.  In 
2003  China  reeeived  aeeess  to  the  souree  eode  for  Mierosoft 
Windows  in  a  partnership  between  Mierosoft  and  China  to  eo- 
operate  on  the  diseovery  and  resolution  of  Windows  seeurity 
issues.  The  result  was  the  China  Information  Teehnology  Seeu¬ 
rity  Certifieation  Center  (CNITSEC).  The  CNITSEC  Souree  Code 
Review  Lab  is  deseribed  as  “the  only  national  eertifreation  eenter 
in  China  to  adopt  the  international  GB/T  18336  idt  ISO  15408 
standard  to  test,  evaluate  and  eertily  information  seeurity 
produets,  systems  and  Web  serviees.”^®  Despite  the  ISO 


25 


standards,  Chinese  eomputer  seientists  reverse  engineered  the 
eode.  This  allowed  them  to  diseover  zero-day  exploits  in  the 
operating  system.  The  fruits  of  their  efforts  resulted  in  the 
shutting  down  of  the  US  Paeifie  Command  Headquarters  after 
a  Chinese-based  attaek.^® 

When  vulnerabilities  are  diseovered  in  software,  patehes  are  is¬ 
sued  to  seeure  the  eomputer  from  potential  attaek  agents.  People 
often  do  not  keep  their  software  up  to  date  with  the  latest  path  or 
antivirus  definitions.  Most  threat  aetors  exploit  vulnerabilities  that 
are  half  a  deeade  old  in  software  that  has  not  been  updated  by 
users.  Current  eyber  polieies  and  best  praetiees,  ineluding  those  of 
the  Department  of  Defense,  plaee  the  burden  on  individual  users  to 
praetiee  good  eyber  hygiene.  The  DOD’s  Strategy  for  Operating  in 
Cyberspace  eoneludes  that  “most  vulnerabilities  of  and  malieious 
aets  against  DoD  systems  ean  be  addressed  through  good  eyber 
hygiene.  Cyber  hygiene  must  be  praetieed  by  everyone  at  aU  times; 
it  is  just  as  important  for  individuals  to  be  foeused  on  proteeting 
themselves  as  it  is  to  keep  seeurliy  software  and  operating  systems 
up  to  date.”®®  While  there  is  no  argument  against  assuring  that 
users  of  systems  must  remain  aware  and  vigilant,  eurrent  pro¬ 
grams  sueh  as  the  yearly  requirement  of  DOD  Information  Assur- 
anee  Awareness  training  is  not  enough  to  assure  that  individuals 
are  aware  of  the  latest  threats  or  understand  the  risks  posed  by 
information  systems.  Ultimately  the  burden  for  assuring  good 
eyber  hygiene  should  be  plaeed  on  the  serviee  provider. 

Vulnerabilities  in  the  physieal  layer  of  eyberspaee  are  often 
overlooked  in  diseussions  foeusing  on  exploits  at  the  logieal,  in¬ 
formation  layers.  There  are  hardware  supply  ehain  risks  to  eyber - 
seeurity.  For  example,  US  original  equipment  manufaeturers’ 
(OEM)  relianee  on  China,  Singapore,  Taiwan,  and  India  for  design 
and  assembly  of  hardware  eomponents  allows  these  eountries  to 
exploit  their  positions  on  the  supply  ehain  to  implant  malieious 
eode  and  baek  doors  into  equipment  used  by  US  eivilians,  govern¬ 
ment,  and  industry  that  allow  for  esealated  unauthorized  privi¬ 
leges  on  a  platform.  Reeent  trends  indieate  that  vulnerabilities  in 
eomputer  arehiteeture  ean  be  exploited  by  anyone  with  an  under¬ 
standing  of  16-bit  assembly  language  using  open  souree  tools. 
This  lowers  the  threshold  of  expertise.  To  reduee  the  points  of 
entry  into  a  eomputer  system,  industry  must  be  held  aeeountable 
for  supply  ehain  risks  at  the  manufaeturing  plant.  Coneurrently, 


26 


the  USAF,  and  other  national  seeurity  departments  and  ageneies, 
should  reform  their  aequisition  polieies  to  require  hardware  sup¬ 
pliers  to  deliver  their  produets  with  physieal  meehanisms  in  plaee 
to  avoid  trivial  baekdooring  of  hardware. Some  progress  has 
been  made  in  standardizing  supply-ehain  eyberseeuriiy  proee- 
dures  by  the  National  Industrial  Seeurity  Program  (NISP)  for  the 
defense  industrial  base  to  mitigate  the  risk  of  this  threat.  Do- 
mestie  produetion  of  all  hardware  used  for  national  seeuriiy  pur¬ 
poses  eould  be  mandated  to  further  mitigate  the  risk  of  supply- 
ehain  eyber  attaeks. 

All  of  the  above  faeilitating  eonditions  have  resulted  in  an 
eeosystem  that  highly  favors  attaekers,  relegating  defenders  to 
a  postattaek  reaetive  posture.  Industry  software  and  hardware 
developers  thus  need  to  develop  the  eyber  infrastrueture  with 
seeurity  in  mind.  Today,  this  seems  to  be  an  afterthought.  In 
diseussions  with  ehief  information  seeurity  offieers  (CISO)  from 
various  seetors,  as  well  as  presentations  on  applieation  seeu¬ 
rity  at  teehnieal  eonferenees,  the  pieture  being  painted  is  one 
and  the  same:  no  serious  steps  are  being  taken  to  mitigate  the 
eoding  of  vulnerabilities.  One  industry  CISO  noted  that  it  is  not 
the  eompanies’  fault.  Rather,  eurrent  university  eomputer 
seienee  programs  are  more  interested  in  ehurning  out  the  next 
Google  or  Faeebook  than  training  programmers  to  develop  se- 
eure  applieations.^"^  Reform  of  eurrieula  is  met  with  resistanee 
from  faeulty.^^  Thus,  eompanies  may  need  to  take  it  upon 
themselves  to  assure  that  their  software  and  hardware  engi¬ 
neers  are  trained  to  develop  seeure  produets.  The  national  se¬ 
eurity  eommunity  should  use  its  purehasing  power  to  buy  soft¬ 
ware  that  has  been  eoded  with  seeurity  in  mind.  These  are  just 
some  steps  to  begin  redueing  the  only  reason  why  eyber  at¬ 
taeks  are  possible:  that  is,  vulnerabilities  in  software  and  hard¬ 
ware  design  and  implementation.  This  will  not  resolve  the 
problem,  but  at  least  it  will  raise  the  eost  of  attaek. 

Defenders  of  Cyberspaces 

Defenders  of  eyberspaees  inelude  ISPs,  law  enforeement,  eor- 
porate  seeuriiy  branehes,  national  eomputer  emergeney  readiness 
teams,  and  eomputer  seeuriiy  ineident  response  teams  (CSIRT) 
(fig.  8).  CERTs  in  partieular  ean  serve  an  important  funetion  in 


27 


Figure  8.  Incident  response  teams  around  the  worid:  internationai  cooperation  speeds  response  to  Internet  security 
breaches.  (Courtesy  of  Department  of  Homeland  Security — US  CERT) 


global  cybersecurily  cooperation.  When  nations  have  national- 
level  CERTs,  these  offer  meehanisms  for  coordinating  responses. 
Communities  of  trusted  experts  can  provide  insight  into  securiiy 
ineidents  and  vulnerabilities  for  local  CERTs  that  may  need  the 
technical  assistance.  If  a  eomputer  seeurity  ineident  beeomes  an 
event  of  national  signiflcanee,  CERTs  ean  also  serve  in  managing 
and  eoordinating  responses.^® 

Although  prevalent,  CERT/CSIRT  expertise  is  not  uniform 
aeross  national  boundaries.  Vulnerability  and  threat  aware¬ 
ness,  understanding  the  regulatory  and  legal  requirements,  de¬ 
termining  eonstitueneies  and  staffing  requirements,  funding, 
developing  partnerships,  and  establishing  situational  aware¬ 
ness  for  eritieal  infrastruetures,  seeurity  polieies,  and  guide¬ 
lines  are  neeessary  for  a  robust  national  CERT  (fig.  9).  It  is  esti¬ 
mated  that  developing  these  eapabilities  can  take  an3rwhere  from 
18  to  24  months. The  eonsensus  is  that  governments  are  re¬ 
sponsible  for  resoureing  a  CERTs  stand  up  and  eoordinating 
domestie  stakeholders  to  foster  a  national  eulture  of  eyber- 
seeurity.  The  ITU  has  been  undertaking  assessments  of  the 
abilities  of  developing  nations  to  establish  national  CERTs. 
These  are  steps  in  the  right  direetion  that  should  begin  result¬ 
ing  in  better  national  eapabilities  in  the  partieipating  eountries 
over  the  next  5-10  years. 

Efforts  toward  a  global  eulture  of  eyberseeurity  are  starting 
to  find  an  institutional  home  within  the  ITU’s  IMPACT  program 
and  are  guiding  global  awareness  as  to  the  need  to  establish 
CERTs.  The  global  eulture  of  eyberseeurity  (GCC)  will  be  dis- 
eussed  in  greater  detail  in  the  next  ehapter.  Not  all  eountries 
have  similar  eyber  defense  eapabilities.  Many  developing/ 
demoeratizing  eountries  are  souree  eountries  for  eyber  attaeks 
or  are  being  used  to  pivot  eyber  attaeks  in  order  to  mask  their 
true  origins.^® 

Internet  sendee  providers  themselves  are  on  the  forefront  of 
eyber  defense.  ISPs  in  the  West  are  often  reluetant  to  monitor 
their  network  traffie  due  to  eivil  liberties  eoneerns.  The  Stop 
Online  Piraey  Aet  (SOPA)  and  Preventing  Real  Online  Threats  to 
Economie  Creativity  and  Theft  of  Intelleetual  Property  Aet 
(PROTECT  IP  or  PIPA)  that  would  have  authorized  ISP  monitor¬ 
ing  of  eustomers  for  eopyright  infringements  illustrate  how 
ISPs  eould  partieipate  in  the  effort  to  seeure  eyberspaee."^° 


29 


Some  ISPs  abroad,  such  as  TeliaSonera  in  Sweden,  actually 
have  monitoring  systems  in  place  to  lift  the  cyber  hygiene  bur¬ 
den  off  of  customers  (fig.  10). 

Upon  notice,  the  customer’s  machine  is  isolated  from  the 
network  until  the  infection  is  removed.  The  customer  is  then 
returned  onto  the  network.  This  “cycle  of  protection”  for  users 
has  been  successful  in  stopping  infections  on  computers  and 
reducing  the  number  of  computers  on  TeliaSonera’s  networks 
that  are  victims  of  botnet  propagation.  The  company’s  coopera¬ 
tion  with  the  Finnish  national  CERT  and  Microsoft  is  indicative 
of  the  complex  relationships  that  were  required  in  order  to  take 
down  the  Rustock  Botnet,  which  was  responsible  for  high  lev¬ 
els  of  spam  e-mails.  According  to  Arttu  Lehmuskallio,  security 
manager  of  the  CSIRT  at  TeliaSonera,  “The  benefits  of  an  ISP 
monitoring  their  network  are  so  great,  and  the  costs  are  so 


30 


ISP  monitors  traffic  for 
signs  of  infection  in  collaboration 
with  CERT  and  private  sector. 


Customer  rejoins 
network  when 
infection  is  no 
longer  present. 


Disinfection  by 
customer  either  on 
his  or  her  own,  or  by  ISP 
remotely  with 
customer  permission. 


To  prevent  infection  of  other  machines, 
customer's  machine  is  either  removed 
from  network  entirely  or  allowed 
restricted  access  to  the  network. 


Infection  detected! 
Infected  machine 
identified  and 
correlated  to  real- 
world  customer. 


Customer  notified  of 
infection  via  alert  and 
ISP  begins  process 
to  disinfect. 


Figure  10.  Sanitary  iSP 


small,  that  I’m  surprised  more  ISPs  have  not  already  imple¬ 
mented  a  similar  solution.”^^  In  the  United  States,  sueh  eon- 
eepts  apply  in  prineiple,  with  reports  issued  by  the  Department 
of  Commeree  lauding  the  benefits  of  adopting  automation  pro- 
toeols  sueh  as  the  Seeurity  Content  Automation  Protoeol 
(SCAP),  eonttnuous  monitoring,  and  the  Department  of  Home¬ 
land  Seeurity  (DHS)  models  for  automated  eontinuous  seeu¬ 
rity. ISPs  in  the  United  States  tend  to  push  baek,  arguing 
that  they  ean  apply  best  praetiees  voluntarily  without  the  heavy 
hand  of  the  law  foreing  eomplianee."^^  In  response  to  reeent  leg¬ 
islative  efforts  in  2012,  Jason  Livingood,  viee  president  for  In¬ 
ternet  systems  engineering  at  Comeast  said  that  “attempting  to 
impose  uniform  eyberseeurity  solutions  eould  aetually  be 
eounterproduetive,  by  enabling  an  attaeker  that  eraeks  a  single 
solution  to  eompromise  multiple  systems,  and  by  slowing  down 


31 


or  constraining  our  ability  to  rapidly  develop  innovative  eyber- 
seeurity  solutions. However,  the  faets  of  TeliaSonera’s  sue- 
eess  invalidate  this  elaim  sinee  the  Swedish  eompany  was  able 
to  effeetively  implement  a  eourse  of  aetion  that  has  allowed 
Finland  to  elaim  the  lowest  infeetion  rates. 

The  underlying  teehnology  that  allows  TeliaSonera,  however, 
is  the  eontroversial  method  of  deep  paeket  inspeetion  (DPI). 
Privaey  advoeates  in  the  West  are  eoneerned  about  issues  of 
using  DPI  methods  to  read  e-mail  and  other  eontent  on  these 
systems.  TeliaSonera  uses  DPI  “as  a  statistieal  tool  to  gather 
information  about  the  usage  of  the  networks  and  as  an  analyz¬ 
ing  tool  whenever  abnormal  traffie  or  fault  situations  oeeur.”"^^ 

Although  employment  of  this  system  has  redueed  the  amount 
of  eyber  erime,  eivil  libertarians  may  protest  the  use  of  DPI  and 
stall  its  implementation.  Internet  sendee  provider  Comeast’s 
Web  Notifieation  System  Design  eoneept  is  one  innovation  that 
does  not  rely  on  deep-paeket  inspeetion.  It  provides  eritieal 
end-user  notifieations  to  web  browsers.  Sueh  a  notifieation 
system  is  being  used  to  provide  near -immediate  notifieations  to 
eustomers,  sueh  as  to  warn  them  that  their  traffie  exhibits  pat¬ 
terns  that  are  indieative  of  malware  or  virus  infeetion.'^®  It  would 
seem  that  sueh  a  system  might  address  privaey  eoneerns  using 
open  tools  and  standards  to  allow  for  transpareney  in  the  fune- 
tioning  of  non-DPI  eritieal  notifieation  systems.  These  and 
other  sueh  efforts  will  help  ereate  a  eyber  environment  that 
does  not  put  the  burden  of  “eyber  hygiene”  on  the  user  who 
laeks  the  teehnieal  expertise  or  does  not  analyze  his  or  her  net¬ 
work  traffie  looking  for  irregular  patterns  in  the  data. 

The  remainder  of  this  work  offers  a  framework  for  the  ereation 
of  aeeeptable  levels  of  attribution  for  national  responsibility 
aeross  the  domain  of  eonfliet  by  shifting  the  paradigm  from  the 
individual  to  the  state.  Within  the  whole-of-government  eon- 
text,  adherenee  to  baseline  standards  of  behavior  and  the  offered 
framework  would  allow  holding  states  aeeountable  for  aetions 
within  their  sovereign  eyberspaee.  While  a  neeessary  part  of 
the  whole-of-soeiety  response  to  eyber  attaeks,  this  is  only  a 
small  part  of  the  politieal  reality  of  eyberspaee.  The  framework 
provides  suggestions  for  development  of  a  global  eulture  of 
eyberseeurity,  diplomatie  responses,  and — in  ineidents  of 
national  seeurity  signifieanee — military  aetion. 


32 


Notes 


1.  Parks  and  Duggan,  “Principles  of  Cyber -Warfare.” 

2.  One  might  argue  that  it  is  difficult  to  assess  whether  or  not  an  activity 
is  malicious  until  it’s  too  late.  However,  for  the  purpose  of  holding  states  re¬ 
sponsible,  the  model  assumes  that  there  are  preventative  efforts  in  place  that 
would  reduce  the  noise,  thereby  mitigating  the  risk  of  legitimate  network 
activity  being  used  to  disguise  an  attack. 

3.  Libickl,  Cyberdeterrence  and  Cyberwar,  44. 

4.  Healey,  ‘The  Spectrum  of  National  Responsibility  for  Cyber  Attacks”: 
Kanuck,  “Sovereign  Discourse  on  Cyber  Conflict  under  International  Law”; 
and  Yannakogeorgos  and  Mattice,  Strategically  Using  Global  Norms  to  Resolve 
the  Cyber  Attribution  Challenge. 

5.  A  separate  but  related  question  is  whether  cyber  is  a  domain  at  all  or 
whether  the  electromagnetic  spectrum  is  the  domain  and  cyber  is  simply  a 
means  for  enhancing  the  ability  to  exploit  it.  A  similar  parallel  is  how  airspace 
is  the  domain  and  aircraft  allow  its  exploitation.  However,  air  traffic  control 
corridors  and  other  man-made  elements  for  the  exploitation  of  airspace  are 
not  domains. 

6.  Air  Force  Doctrine  Document  3-12,  Cyberspace  Operations,  2-3. 

7.  Clark,  Characterizing  Cyberspace. 

8.  Ibid.,  1.  Note  that  the  definition  of  cyberspace  the  Joint  Chiefs  of  Staff  pro¬ 
vide  in  the  National  Military  Strategy  for  Cyberspace  Operations  is  parsimonious 
with  Clark’s  character-driven  versus  purpose-driven  definition.  The  USAF  should 
consider  embedding  the  JCS  definition  within  its  doctrine. 

9.  Healey,  “Spectrum  of  National  Responsibility  for  Cyber  Attacks.” 

10.  Clark  and  Landau,  “Untangling  Attribution,”  25. 

11.  Llbicki,  Cyberdeterrence  and  Cyberwar,  41-52,  99-100. 

12.  A  note  of  caution  with  the  hope  latched  onto  IPv6 — while  it  works  well  on 
a  small  scale,  it  wUl  stiU  contain  vulnerabilities  that  may  not  be  known  until 
deployed  on  a  vast  scale.  New  security  vulnerabilities  will  be  discovered  and  ex¬ 
ploited,  and  the  learning  curve  will  be  just  as  steep  as  for  the  deployment  of  IPv4. 

13.  Clark  and  Landau,  ‘The  Problem  Isn’t  Attribution,”  1. 

14.  TCP/IP  is  standardized  by  the  International  Organization  for  Standardiza¬ 
tion  (ISO)  for  the  open  systems  interconnection  (OSI)  model  as  the  basis  of  Internet 
and  other  networking. 

15.  Llpson,  Tracking  and  Tracing  Cyber- Attacks,  5. 

16.  Waldrop,  “DARPA  and  the  Internet  Revolution.”  See  also  Leighton, 
‘The  Net’s  Real  Security  Problem,”  44. 

17.  Ibid. 

18.  Molyneux,  The  Internet  under  the  Hood,  85-86. 

19.  Ibid.,  27. 

20.  Indeed,  as  part  of  its  Internet  freedom  agenda,  the  US  Department  of  State, 
in  cooperation  with  Intemet  companies,  is  distributing  tools  for  and  running  sem¬ 
inars  on  how  to  mask  one’s  identity  in  cyberspace.  While  the  goal  is  the  free  flow 
of  information,  these  tools  and  tactics  can  be  used  to  attack  US-based  information 
systems  as  well.  This  does  not  contribute  to  a  safe  cyber  ecosystem. 


33 


21.  Denning  and  Denning,  eds.,  Internet  Besieged,  35. 

22.  Zetter,  “Rogue  Nodes  Turn  Tor  Anon5miizer  into  Eavesdropper’s  Paradise.” 

23.  Harrison  and  White,  “A  Taxonomy  of  Cyber  ENents  Affecting  Communi¬ 
ties,”  1-9.  This  work  included  natural  events;  however,  for  the  purpose  of  this 
paper,  chipmunks  chewing  through  flber-optic  cables  is  not  deemed  to  be  relevant 
to  state  responsibility  for  cyber  attacks. 

24.  Nelson  et  al..  Cyberterror,  90. 

25.  Rowe  et  al.,  “Steps  towards  Monitoring  Cyberarms  Compliance.” 

26.  I  am  grateful  to  Mr.  Lynn  Mattice,  president  and  founder.  National 
Economic  Security  Grid,  for  this  observation. 

27.  Yannakogeorgos,  “Promises  and  Pitfalls  of  the  Private  Public  Partner¬ 
ship  Model,”  259. 

28.  Microsoft  Corporation,  “China  Information  Technology  Security  Certi¬ 
fication  Center  Source  Code  Review  Lab  Opened.” 

29.  Barrett,  “Information  Warfare:  China’s  Response  to  U.S.  Technological 
Advantages.” 

30.  DOD,  Department  of  Defense  Strategy  for  Operating  in  Cyberspace,  7. 

31.  Brossard  and  Demetrescu,  “Hardware  Backdooring  Is  Practical.” 

32.  One  such  option,  as  mentioned  in  Brossard,  is  to  “offer  a  physical  switch 
which  needs  to  be  manually  auctioned  to  allow  the  flashing  of  the  firmware.” 
Such  a  solution  would  certainly  resolve  the  issue  of  kernel-level  Infections. 

33.  DOD  Instruction  5205.13,  Defense  Industrial  Base  (DIB)  Cyber  Security / 
Information  Assurance  (CS/IA)  Activities. 

34.  Personal  interview  with  CISO  from  a  Fortune  500  company  in  mid 
2012. 

35.  Personal  interview  with  professor  of  computer  science  at  a  US  top- 100 
school. 

36.  Killcrece,  Steps  for  Creating  National  CSIRTs,  8. 

37.  Ibid,  17. 

38.  International  Telecommunications  Union  (ITU),  ITU/ IMPACT  Country 
Readiness  Assessment  to  Establish  a  National  CIRT.  ITU-IMPACT  has,  to 
date,  completed  CIRT  workshops  for  29  countries  to  assist  them  in  setting  up 
an  implementation  plan. 

39.  UN  Department  of  Economic  and  Social  Affairs,  Cybersecurity. 

40.  Sandoval,  ‘Top  ISPs  Agree  to  Become  Copyright  Cops.” 

4 1 .  Microsoft  Corporation,  European  Telecom  Uses  Microsoft  Security  Data 
to  Remove  Botnet  Devices  from  Network. 

42.  Department  of  Commerce,  Internet  Policy  Task  Force,  Cybersecurity,  In¬ 
novation  and  the  Internet  Economy,  18;  and  Department  of  Homeland  Security, 
Enabling  Distributed  Security  in  Cyberspace. 

43.  Federal  Communications  Commission,  Reliability  and  Interoperability 
Council,  Working  Group  8,  Communications  Security,  Final  Report. 

44.  Gross,  “ISPs.” 

45.  TeliaSonera,  TeUaSonera’ s  Response  to  the  European  Commission  Con¬ 
sultation  on  Net  Neutrality  and  the  Open  Internet. 

46.  C.  Ghung  et  al.,  “Comcast’s  Web  Notification  System  Design.” 


34 


Chapter  3 


American  Sponsorship  of 
Embryonic  Global  Norms 

Global  norms,  institutions,  and  patterns  of  cooperation 
among  state  and  private  sector  stakeholders  can  serve  as  a 
foundation  for  solving  the  attribution  problem  in  cyberspace. 
Norms  of  state  responsibility  in  cyberspace  must  be  institu¬ 
tionalized  at  the  international  level,  and  they  must  be  enforced 
by  relevant  US  government  departments,  including  defense, 
state,  justice,  and  commerce,  and  by  other  appropriate  federal, 
national,  state,  and  tribal  agencies. 

More  than  one  American  expert  has  noted  that  “although 
numerous  multinational  organizations  are  working  on  various 
aspects  of  cyber  crime  and/or  cyber  conflict,  only  ITU  has  taken 
a  global  view  and  put  forth  an  agenda  intended  to  address  ma¬ 
jor  problem  areas,  while  leveraging  the  efforts  of  other  organi¬ 
zations.”^  In  this  section,  I  aim  to  describe  a  process  that  might 
be  used  to  modify  the  policy  actions  of  states  and  hold  them 
responsible  for  their  actions.  I  argue  that  ineffective  US  at¬ 
tempts  at  multilateralism  will  result  if  the  United  States  con¬ 
tinues  its  path  to  pick  alternative  forums  and  tries  to  lead  the 
world  into  them.  Instead,  I  use  the  lens  of  US  “sponsorship”  of 
global  norms  as  the  suggested  way  forward  to  achieving  US 
objectives  of  securing  cyberspace. 

It  is  without  question  that  the  United  States  has  the  most 
superior  military  in  the  world.  This  does  not  equate  with  being 
able  to  influence  processes  to  achieve  policy  objectives. ^  The 
logic  of  the  current  US  position  is  that  the  United  States  should 
be  able  to  both  make  and  break  norms  at  will  to  achieve  policy 
goals.  As  Finnemore  and  Sikkink  state,  “Sometimes  these  plat¬ 
forms  are  constructed  specificalfy  for  the  purpose  of  promoting 
the  norm,  as  are  many  nongovernmental  organizations  (NGO) 
(such  as  Greenpeace,  the  Red  Cross,  and  Transafrica)  and  the 
larger  transnational  advocacy  networks  of  which  these  NGOs 
become  a  part  (such  as  those  promoting  human  rights,  envi¬ 
ronmental  norms,  and  a  ban  on  land  mines  or  those  that  op¬ 
posed  apartheid  in  South  Africa).”^ 


35 


International  organizations,  as  conduits,  play  a  crucial  role 
in  diffusing  norms.  For  example,  Finnemore  and  Sikkink  sug¬ 
gest,  ‘The  structure  of  the  World  Bank  has  been  amply  docu¬ 
mented  to  effect  the  kinds  of  development  norms  promulgated 
from  that  institution;  its  organizational  structure,  the  profes¬ 
sions  from  which  it  recruits,  and  its  relationship  with  member 
states  and  private  finance  all  filter  the  kinds  of  norms  emerging 
from  it.  The  UN,  similarly,  has  distinctive  structural  features 
that  influence  the  kinds  of  norms  it  promulgates  about  such 
matters  as  decolonization,  sovereignty,  and  humanitarian  re¬ 
lief.”'^  Professionals,  with  legitimacy  born  of  their  expertise  and 
access  to  information,  influence  the  behavior  of  other  actors, 
including  states. 

The  concept  of  American  sponsorship  of  global  norms  has 
emerged  within  the  global  affairs  community  as  one  way  to  ad¬ 
dress  complex  transnational  policy  issues.  Global  affairs  ex¬ 
pert  Simon  F.  Reich  suggests  this  as  a  way  to  merge  hard  and 
soft  power  to  effect  change  on  certain  transnational  policy  is¬ 
sues.  This  concept  entails  an  American  “willingness  to  enforce 
or  underwrite  the  costs  of  enforcing  a  policy  without  necessar¬ 
ily  taking  the  lead  in  placing  it  on  the  agenda.  .  .  .  Sponsorship 
entails  the  selective  enforcement,  by  the  United  States,  of  policy 
initiatives  promoted  by  NGOs  and  codified  by  global  organiza¬ 
tions.  Where  such  conditions  exist,  global  norms  take  root  and 
influence  behavior.”^  The  process  of  norm  development  and  ar¬ 
ticulation  by  private  entities,  norm  codification,  and  norm  in¬ 
stitutionalization  is  a  critical  formula  for  American  sponsor¬ 
ship  to  be  effective.  When  these  conditions  are  not  met,  US 
sponsorship  is  observed  as  unilateral,  imperialistic,  or  ineffec¬ 
tively  multilateral.  It  does  not  result  in  the  desired  outcome  of 
behavioral  management  in  accordance  with  the  norm.  Accord¬ 
ing  to  Reich,  three  conditions  must  be  met  for  the  creation  of  a 
global  norm:  broad -based  support  of  private  entities,  global  in¬ 
stitutional  codification,  and  American  sponsorship  through  en¬ 
forcement.®  As  outlined  in  the  previous  chapter,  the  first  sequence — 
that  is,  the  articulation  of  norms  and  their  (attempted) 
institutionalization — has  been  met.  What  remains  to  be  done  is 
for  the  United  States  to  sponsor  norms  with  soft-  and  hard- 
power  mechanisms.  One  way  forward  is  outlined  below;  how¬ 
ever,  it  remains  for  policy  makers  to  work  toward  the  formulation 


36 


of  effective  US  international  cyber  policy  that  takes  these  aca¬ 
demic  theories  and  applies  their  lessons  to  practice.  Table  2 
represents  the  various  variables  involved  in  norm  lifecycles. 


Table  2.  Norm  lifecycles  and  American  support 


Yes 

No 

Outcome 

Entrepreneurial  support 

X 

■ 

Articulation,  consolidation,  and  implementa¬ 

Institutionalization 

X 

tion  of  global  norm 

American  support 

X 

m 

Entrepreneurial  support 

X 

Articulation  and  implementation  of  imperial¬ 

Institutionalization 

X 

ist  policies  lacking  global  legitimacy 

American  support 

X 

Entrepreneurial  support 

X 

Weak  multilateralism 

Institutionalization 

X 

American  support 

X 

Entrepreneurial  support 

X 

Norms  articulated  and  consolidated  but 

Institutionalization 

X 

weakly  implemented 

American  support 

X 

Entrepreneurial  support 

X 

Norms  articulated  but  not  consolidated  or 

Institutionalization 

X 

implemented 

American  support 

X 

Entrepreneurial  support 

X 

US  unilateralism  or  bilateralism 

Institutionalization 

X 

American  support 

X 

Entrepreneurial  support 

X 

Empty  cell 

Institutionalization 

X 

American  support 

X 

Entrepreneurial  support 

X 

International  regime  in  decline.  Very  weakly 

Institutionalization 

X 

implemented 

American  support 

X 

Reprinted  from  Simon  Reich  with  Panayotis  A.  Yannakogeorgos,  Global  Norms  American  Sponsor¬ 
ship  and  the  Emerging  Patters  of  World  Politics  (New  York:  Palgrave  Macmillan,  2010),  17. 


Beyond  possible  bilateral  measures,  a  global  policy  frame¬ 
work  for  holding  all  states  responsible  for  cyber  attacks  origi¬ 
nating  or  transiting  through  their  territory  is  required.  The  re¬ 
taliation  framework  introduced  in  the  previous  chapter  would 
help  guide  these  efforts.  It  is  argued  that  a  toolbox  for  respond¬ 
ing  to  attacks  needs  to  be  further  developed  to  address  appro¬ 
priate  responses  to  states  that  fall  within  the  spectrum  of  re¬ 
sponsibility.  Elsewhere,  I  have  recommended  that  the  DOD 
and  USAF  create  a  resource  similar  to  the  State  Department’s 
annual  Trafficking  in  Persons  [TIP]  Report  as  a  first  step  toward 


37 


developing  global  norms  that  will  help  identify  what  degree  of 
responsibility  a  state  must  bear  in  a  eyber  attaekJ  It  has  taken 
almost  a  eentury  for  antitraffleking  initiatives  to  evolve  from  an 
area  of  nongovernmental  eoneern  to  eriminalized  aetivity  under 
international  law.  However,  perhaps  as  a  result  of  information 
and  eommunieation  teehnology  (ICT),  eyberseeurity  efforts 
within  institutions  of  diplomaey  have  been  eatafyzed.  What  re¬ 
mains  is  for  the  US  government  to  elean  up  the  eountry’s  eyber 
environment  and  take  the  global  lead  to  establish  the  eoereive 
meehanisms  that  will  solidify  global  norms  of  behavior  for 
eyberspaee. 

American  Sponsorship  of  Global  Norms 

The  United  States  generally  uses  diplomatie  pressure  to  en¬ 
gender  domestie  reforms  and  stimulate  enforeement  of  mini¬ 
mum  standards  for  the  elimination  of  traffieking  in  persons  by 
governments  in  individual  eountries.  Antitraffleking  initiatives 
have  a  long  history,  with  early  efforts  beginning  in  the  mid¬ 
nineteenth  eentury  and  resulting  in  various  treaties.  The  UN 
has  been  dealing  with  this  issue  sinee  the  ineeption  of  the  or¬ 
ganization,  largely  as  the  result  of  pressure  from  nongovern¬ 
ment  organizations.  However,  during  the  Cold  War,  nuelear 
and  other  seeurity  issues  did  not  allow  for  the  United  States  to 
foeus  on  traffieking  issues.  In  the  mid-nineties,  as  a  result  of 
US-based  NGO  pressure  on  the  US  government,  antitraffleking 
beeame  an  important  item  on  the  US  poliey  agenda,  leading  up 
to  the  Traffieking  Vietims  Proteetion  Aet  (TVPA)  of  2000. 

I  suggest  that  one  way  forward  is  to  look  at  the  sueeess  of  the 
United  States  as  the  world  leader  in  stemming  the  seourge  of 
human  traffieking  as  a  model  for  international  engagement  in 
eyberspaee.  Henee,  the  antitraffleking  agenda  has  many  paral¬ 
lels  to  the  global  eyberseeurity  agenda.  The  following  draws  on 
these  eommonalities  to  illustrate  that  poliey  tools  exist  to  hold 
states  aeeountable  for  the  aetions  of  transnational  elements 
operating  on  their  soil. 


38 


The  Anti-trafficking-in-Persons  Initiative 

The  TVPA  added  a  eoereive  eapaeity  to  US  government  efforts 
to  eurb  the  transnational  problem  of  modern-day  slavery.®  Like 
cyber  crime,  human  trafficking  relies  on  actions  not  directly 
attributable  to  a  state  government.  Nevertheless,  states  could 
still  be  held  responsible  for  not  doing  enough  to  end  its  men¬ 
ace.  To  gauge  progress  on  implementing  the  minimum  stan¬ 
dards  for  the  elimination  of  trafficking  applicable  to  the  govern¬ 
ment  of  a  country  of  origin,  transit,  or  destination  for  victims  of 
severe  forms  of  trafficking,  the  TVPA  mandated  that  the  Traf¬ 
ficking  in  Persons  Report  be  issued  annually  by  the  DOS  Office 
to  Monitor  and  Combat  Trafficking  in  Persons.  On  the  basis  of 
these  minimum  standards,  the  TIP  Report  is  designed  to  grade 
the  efforts  of  individual  countries  with  the  intent  of  “naming 
and  shaming”  (and  potentially  sanctioning)  states  adjudged  to 
be  wavering  in  their  efforts.^ 

Based  on  a  three-tier  scale,  the  TIP  process’s  intent  is  to  coerce 
the  worst  transgressors  (Tier  3  countries)  through  the  threat  of 
a  variety  of  sanctions.  Tier  1  countries  are  those  whose  govern¬ 
ments  are  complying  with  the  minimum  standards.  Tier  2  coun¬ 
tries  are  not  complying  but  are  making  significant  efforts  to  do 
so.  Tier  2  watch  list  countries  are  those  in  which  there  are  a 
significant  or  increasing  number  of  trafficking  victims  as  well  as 
an  increasing  failure  to  show  evidence  of  taking  additional  steps 
to  combat  that  situation,  in  contrast  to  the  commitments  the 
country  made  in  the  prior  year.  Once  a  country  is  placed  on  the 
Tier  2  watch  list  in  the  annual  TIP  Report,  it  is  liable  to  automatic 
downgrading  to  Tier  3  status.  Tier  3  countries  face  sanctions. 

To  further  enhance  the  TVPA,  Congress  enacted  and  Pres. 
George  W.  Bush  signed,  the  Trafficking  Victims  Protection  Re¬ 
authorization  Act,  which  refined  and  expanded  the  “minimum 
standards”  for  foreign  governments,  increased  their  responsi¬ 
bility  for  provision  of  data,  created  a  new  “watch  list”  category, 
and,  again,  substantially  increased  funding.  Furthermore,  to 
demonstrate  his  commitment  of  prosecuting  US  citizens.  President 
Bush  signed  the  PROTECT  (Prosecutorial  Remedies  and  Other 
Tools  to  End  the  Exploitation  of  Children  Today)  Act  into  law,  grant¬ 
ing  the  United  States  extraterritorialiiy  in  the  prosecution  of  US 
citizens  engaged  in  child  sex  tourism.^®  Furthermore,  section 


39 


7202  of  the  Intelligence  Reform  and  Terrorism  Prevention  Act 
of  2004  established  the  Human  Smuggling  and  Trafficking 
Center  “to  improve  the  effectiveness  of  ongoing  interagency  ef¬ 
forts,  particularly  in  supporting  the  conversion  of  intelligence 
into  appropriate  enforcement  and  other  response  actions  [and] 
to  achieve  greater  integration  and  overall  effectiveness  in  US 
government  enforcement  and  other  response  efforts  and  to 
promote  intensified  efforts  by  foreign  governments  and  inter¬ 
national  organizations  to  combat  these  problems.” In  addi¬ 
tion  to  the  TIP  program’s  potential  sanctions,  the  Department 
of  Justice  provides  training  and  logistical  support  to  other 
states  in  conjunction  with  the  FBI’s  International  Criminal  In¬ 
vestigative  Training  and  Assistance  Program,  while  the  Depart¬ 
ment  of  Labor  holds  prevention  and  awareness-raising  pro¬ 
grams  abroad. 

Naming  and  shaming  are  not  enough  to  cause  governments 
to  change  their  behavior.  To  give  antitrafficking  initiatives  a 
coercive  capacity,  the  United  States  uses  its  annual  TIP  Report 
and  UN  initiatives  to  go  beyond  naming  and  shaming.  Tier  3 
countries  can  be  subject  to  sanctions  on  “nonhumanitarian, 
nontrade  related  foreign  assistance. Similarly,  the  United 
States  has  threatened  to  withdraw  its  support  for  loans  from 
international  financial  institutions,  such  as  the  International 
Monetary  Fund  (IMF)  and  the  World  Bank,  for  countries  that 
either  do  not  pass  requisite  laws  or  do  not  enforce  them.  Nations 
face  potential  loss  of  US  military  and  economic  assistance  as 
well  as  World  Bank  and  IMF  support.  The  United  States  is  the 
largest  depositor  at  the  World  Bank  and  the  IMF  and  US  sup¬ 
port  has  substantial  implications  for  countries  seeking  loans. 
The  United  States  has  been  just  as  aggressive  on  a  regional 
level  in  organizations  such  as  the  Organization  for  Security  and 
Cooperation  in  Europe  (OSCE)  and  the  Southeast  European 
Cooperative  Initiative  (SECI). 

This  is  a  good  model  on  which  to  begin  shaping  US  policies 
toward  malicious  cyber  behavior.  In  the  following  section,  I  pro¬ 
vide  a  brief  tracing  of  the  fundamental  international  agree¬ 
ments  where  cyber  norms  are  being  articulated  and  developed. 
The  broad  ideas  have  been  echoed  in  US  policy.  However,  when 
the  global  community  attempts  to  institutionalize  the  norms 
within  existing  forums,  such  as  the  International  Telecommu- 


40 


nication  Union,  there  is  US  baeklash.  This,  I  believe,  is  a  mis¬ 
guided  approaeh  and  will  lead  the  world  away  from  eoherent 
eyberseeurity  eooperation.  Indeed,  one  Pew  survey  of  inter¬ 
national  pereeptions  of  Ameriea’s  effort  to  lead  the  world  eon- 
eluded  that  “on  average,  only  one  in  four  agrees  that  the  United 
States  is  an  important  leader  in  promoting  international  laws 
and  sets  a  good  example  by  following  them,  while  two-thirds 
say  the  United  States  tries  to  promote  international  laws  for 
other  eountries,  but  is  hypoeritieal  beeause  it  does  not  follow 
these  rules  itself.”^®  Sueh  pereeptions  of  US  “leadership”  just 
as  easily  extend  to  the  eyber  domain  where  the  United  States 
may  be  trying  to  lead  the  world  in  developing  global  norms  of 
behavior  for  eyberspaee,  while  eoneurrently  it  leads  the  world 
in  infeeted  maehines  and  as  a  souree  of  eyber  attaeks. 

The  Global  Culture  of  Cybersecurity  and 
Embryonic  Norms  for  State  Responsibility 
in  Cyberspace 

What  are  the  prospeets  of  resolving  the  eyber  attribution 
ehallenge  given  our  present  knowledge  of  polities,  government, 
and  law?  Global  eyberseeurity  is  hindered  by  a  laek  of  eyber¬ 
seeurity  aetion  plans  for  organized  defense  at  the  national  level. 
Sueh  plans  would  employ  the  teehnologieal,  managerial,  orga¬ 
nizational,  legal,  and  human  eompeteneies  in  national  seeurity 
strategies  for  defense.  Criminals,  privateer -haeker  networks, 
and  information  warriors  exploit  eountries  laeking  these  strue- 
tures  for  eyber  attaeks  of  national  and  global  signifieanee.  In¬ 
deed,  the  vitality  of  Ameriean  soeial,  eeonomie,  and  govern¬ 
mental  institutions  is  at  great  risk  from  eyber  vulnerabilities 
present  in  less  developed  eountries.^®  Redueing  the  threats  to 
the  United  States  from  eyber  attaek  depends  on  support  for 
already  artieulated  international  norms  of  behavior,  enforeed 
by  loeal  authorities,  to  seeure  the  global  eyber  eeosystem.^® 
Speeifieally,  the  global  eulture  of  eyberseeurity,  whieh  is  a 
broad  normative  framework,  has  already  been  aeeepted  over 
the  past  deeade.  The  norms  therein  may  serve  as  bases  for  dis- 
eerning  a  state’s  wrongful  aets  in  eyberspaee. 


41 


Cyber  norms  guiding  responsible  nation-state  behavior  have 
been  artieulated  in  various  forums.  The  Couneil  of  Europe’s  (COE) 
Convention  on  Cybererime,  November  2001,  seeks  the  alignment 
of  European  Union  (EU)  member  states’  laws  for  evidenee  gather¬ 
ing  and  proseeution  and  inereasing  international  eollaboration 
and  investigative  eapabilities  to  deal  with  eyber  erimes.  Ratified 
by  the  United  States  in  2007,  elements  of  the  COE  eonvention  are 
eonsidered  a  model  text  for  international  eooperation.^°  The  World 
Summit  on  the  Information  Soeieiy’s  Deelaration  of  Prineiples 
eommitted  to  building  a  global  eulture  of  eyberseeurity  promoted, 
developed,  and  implemented  in  eooperation  with  all  stakeholders 
and  international  bodies  of  experts. 

The  Global  Cybersecurity  Behavioral  Baseline 

There  is  eurrently  broad  international  eonsensus  on  what 
the  behavioral  baseline  should  be  for  eyberseeurity.  The  global 
eulture  of  eyberseeurity  grew  from  a  series  of  United  Nations 
General  Assembly  (UNGA)  resolutions.  The  2002  UNGA  Reso¬ 
lution  56/19,  “Developments  in  the  Field  of  Information  and 
Teleeommunieations  in  the  Context  of  International  Seeurity,” 
established  several  embryonie  norms.  The  UNGA  reeognized 
the  global  eharaeteristies  of  ICT,  sueh  as  the  Internet  and  World 
Wide  Web  (WWW),  as  the  bases  for  the  information  soeiety  and 
determined  that  international  eooperation  is  required  to  assure 
the  peaeeful  use  of  ICT.^^  Further,  it  was  aeknowledged  that 
ICT  eould  be  misused  in  ways  that  “adversely  affeet  the  seeu¬ 
rity  of  states  in  both  eivil  and  military  fields. Member  states 
were  eneouraged  to  prevent  the  use  of  information  teehnology 
by  eriminals  or  terrorists  while  eoneurrently  promoting  its 
peaeeful  use,  though  guidelines  for  how  to  do  so  were  not  of¬ 
fered.  In  the  operational  paragraphs  of  Resolution  56/19,  the 
UNGA  ealls  on  member  states  to  support  and  eontribute  to 
multilateral  efforts  tasked  with  identifying  present  and  future 
threats  to  international  seeurity  resulting  from  the  misuse  of 
information  teehnology  and  to  develop  eountermeasures  to 
these  threats.  Cyberseeurity  solutions  must  be  “eonsistent 
with  the  need  to  preserve  the  free  flow  of  information.’’^"^  These 
elements  planted  the  seeds  of  embryonie  norms  that  eontinue 


42 


to  serve  as  the  behavioral  baseline  for  good  behavior  in  eyber- 
spaee. 

In  2002  the  UNGA  also  passed  Resolution  56/121,  “Combat¬ 
ing  the  Criminal  Misuse  of  Information  Teehnologies,”  and 
strengthened  the  language  of  Resolution  56/19,  saying  that 
the  “misuse  of  information  teehnologies  may  have  a  grave  im- 
paet  on  all  States”  and  eneouraging  the  utilization  of  ICT  to 
enhanee  international  eooperation  and  eoordination.^^  A  limit¬ 
ing  faetor  to  seeuring  eyberspaee  was  identified.  “Gaps  in  the 
aeeess  to  and  use  of  information  teehnologies  by  states  ean 
diminish  the  effeetiveness  of  international  eooperation  in  com¬ 
bating  the  criminal  misuse  of  information  technologies.”^®  The 
UNGA  called  for  “cooperation  between  States  and  the  private 
sector  in  combating  the  criminal  misuse  of  information  tech¬ 
nologies  .  .  .  [and]  for  effective  law  enforcement. To  preserve 
the  utility  of  cyberspace,  all  states  must  have  access  to  and  use 
ICT  and  establish  mechanisms  to  deter  the  criminal  misuse  of 
telecommunications  technologies.  The  UNGA  provided  a  frame¬ 
work  for  international  cyberspace  development  in  Resolution 
56/121  by  calling  for  transfer  of  information  technology  to  de¬ 
veloping  countries  and  the  training  of  their  people  to  use  it, 
thereby  enhancing  international  cooperation  in  combating  the 
criminal  misuse  of  information  technology. 

In  2004  the  concept  of  a  “global  culture  of  cybersecurity” 
(GCC)  was  articulated  in  UNGA  Resolution  57/239.^®  Member 
states  recognized  that  “effective  cybersecurity  is  not  merely  a 
matter  of  government  or  law  enforcement  practices,  but  must 
be  addressed  through  prevention  and  supported  throughout 
society.”^®  ‘Technology  alone  cannot  ensure  cybersecurity.  .  .  . 
In  a  manner  appropriate  to  their  [respective]  roles,  government, 
business,  other  organizations,  and  individual  owners  and  users 
of  information  technologies  must  be  aware  of  relevant  cyber - 
security  risks  and  preventive  measures  and  must  assume  re¬ 
sponsibility  for,  and  take  steps  to  enhance  the  security  of  these 
information  technologies.”®®  The  resolution  is  not  binding,  but 
the  basic  tenets  of  the  global  culture  of  cybersecurity  are  sum¬ 
marized  in  table  3. 


43 


Table  3.  Foundations  of  the  global  culture  of  cybersecurity 


Element 

Intended  outcome 

Awareness 

All  information  society  stakeholders,  including  individuals,  should  sustain 
a  level  of  awareness  regarding  the  importance  of  having  secure  informa¬ 
tion  systems. 

Responsibility 

Stakeholders  are  responsible  for  securing  their  own  information  systems 
and  reviewing  the  policies,  practices,  measures,  and  procedures  pertain¬ 
ing  to  their  own  cyberspace. 

Response 

Timely  and  cooperative  response  is  achieved  with  stakeholders  sharing 
information  about  threats,  vulnerabilities,  and  security  incidents  to  facili¬ 
tate  the  detection  of  and  response  to  the  misuse  of  information  systems. 
Cross-border  information  sharing  may  be  required. 

Ethics 

The  ethical  basis  of  the  GCC  is  founded  on  utilitarian  grounds  in  that 
each  participant  is  expected  to  respect  the  interests  of  others  and  to  act 
or  avoid  inaction  that  will  harm  others. 

Democracy 

Cybersecurity  regimes  are  guided  by  democratic  principles,  identified  as 
the  freedom  of  thoughts  and  ideas,  free  flow  of  information,  confidentiality 
of  information  and  communication,  protection  of  personal  information, 
openness,  and  transparency. 

Risk  assessment 

Periodic  broad-based  risk  assessments  of  the  security  implications  of 
technological,  physical,  and  human  factors,  policies,  and  services  should 
be  conducted  to  determine  what  an  appropriate  level  of  risk  is  and  how 
best  to  manage  the  risk  of  potential  harm  to  information  systems  accord¬ 
ing  to  a  scale  based  on  the  importance  of  information  to  the  information 
system  being  assessed. 

Security  design 
and 

implementation 

Security  should  be  incorporated  during  the  planning,  design,  technological 
development,  operation,  and  use  of  an  information  system. 

Security 

management 

It  is  on  the  basis  of  dynamic  risk  assessment  that  security  management 
occurs. 

Reassessment 

Given  the  dynamic  nature  of  the  information  insecurity,  in  order  to  assure 
that  all  the  above  elements  remain  relevant,  a  periodic  reassessment  of 
security  protocols  and  procedures  is  required. 

Adapted  fromUN  General  Assembly,  “Creation  of  a  Global  Culture  of  Cybersecurity,”  Resolution  A/ 
RES/57/239,  31  Jan  2003,  2-3,  http://www.itu.int/ITU-D/cyb/cybersecurity/docs/UN_resolution 
_57_239.pdf. 


In  2003  the  UNGA  addressed  eyber  threats  to  eritieal  infor¬ 
mation  infrastruetures.^^  Critieal  infrastruetures  are  identified 
as  “those  used  for,  inter  alia,  the  generation,  transmission  and 
distribution  of  energy,  air  and  maritime  transport,  banking  and 
finaneial  sendees,  e-eommeree,  water  supply,  food  distribution 
and  publie  health — and  the  eritieal  information  infrastruetures 
that  inereasingly  intereonneet  and  affeet  their  operations. It 


44 


is  urged  that  emergency  warning  networks  should  be  estab¬ 
lished  to  identify  and  warn  of  cyber  vulnerabilities,  threats, 
and  incidents. 

•  General  awareness  should  be  raised  about  the  importance 
of  critical  infrastructures  as  well  as  the  roles  that  stake¬ 
holders  have  in  infrastructure  protection. 

•  The  formation  of  partnerships  between  private  and  public 
stakeholders  to  prevent,  investigate,  and  respond  to  threats 
to  critical  information  infrastructures  should  be  encour¬ 
aged. 

•  Communications  networks  should  be  in  place  and  regu¬ 
larly  tested  to  assure  their  effective  operation  during  a  cri¬ 
sis  situation. 

•  States  should  develop  adequate  domestic  laws  and  policies 
to  allow  the  investigation  and  prosecution  of  cyber  crime. 
States  should  also  assure  adequate  trained  personnel  to 
accomplish  investigation  and  prosecution. 

•  States  are  responsible  for  identifying  the  perpetrators  of 
attacks  against  critical  information  infrastructure  and 
sharing  of  this  information  with  affected  states. 

•  Appropriate  international  cooperation  should  take  place  in 
accord  with  properly  crafted  domestic  laws  assuring  that 
critical  information  infrastructures  are  secure. 

The  statement  of  the  role  of  the  government  in  dealing  with  the 
critical  information  infrastructure  is  clearer  than  in  previous 
resolutions.  Constant  testing  of  the  protection  systems  and 
education  of  personnel  are  deemed  essential  for  the  success  of 
such  measures. 

In  2009  the  UNGA  mandated  a  UN  Group  of  Governmental  Ex¬ 
perts  on  Cybersecurity:  “On  the  basis  of  equitable  geographical 
distribution,  a  group  of  governmental  experts,  which,  in  accor¬ 
dance  with  its  mandate,  considered  existing  and  potential  threats 
in  the  sphere  of  information  security  and  possible  cooperative 
measures  to  address  them  and  conducted  a  study  on  relevant 
international  concepts  aimed  at  strengthening  the  securify  of 
global  information  and  telecommunications  systems. Based  on 
the  results  of  this  work,  the  group  prepared  a  report  for  the  UN 


45 


Secretary  General  in  2010.^“^  The  group  recognized  a  need  for  en¬ 
hanced  dialogue  among  states  to  develop  measures  that  would 
reduce  collective  risk  to  national  and  global  cyber  infrastructures. 
It  also  stated  that  “existing  agreements  include  norms  relevant  to 
the  use  of  ICTs  by  states.  Given  the  unique  attributes  of  ICTs,  ad¬ 
ditional  norms  could  be  developed  over  time.”^^  The  existing 
agreements  are  not  specified,  though  these  would  include  current 
international  laws,  such  as  the  UN  Charter  in  addition  to  UNGA 
resolutions  and  the  World  Summit  on  the  Information  Socieiy 
(WSIS)  outcome  documents.  One  may  extend  this  to  say  that  the 
norms  of  good  cyber  behavior  actually  do  exist.  However,  as  in  all 
matters  of  international  law,  the  elaborations,  perceptions,  and 
interpretations  of  the  elements  in  existing  agreements  and  UNGA 
resolutions  need  global  recognition  and  acceptance. 

In  March  2010,  the  UNGA  adopted  Resolution  64/211  on  the 
“creation  of  a  global  culture  of  cybersecurity  and  taking  stock 
of  national  efforts  to  protect  critical  information  infrastruc¬ 
tures.”  The  resolution  included  an  annex  to  serve  as  a  self- 
assessment  tool  for  national  efforts  to  protect  critical  informa¬ 
tion  infrastructures.  It  addressed  assessment  of  cybersecurity 
needs  and  strategies,  stakeholder  roles  and  responsibilities, 
policy  processes  and  participation,  public/private  cooperation, 
incident  management  and  recovery,  and  legal  frameworks. 
However,  “this  is  a  voluntary  tool  that  may  be  used  by  Member 
States,  in  part  or  in  its  entirety,  if  and  when  they  deem  appro¬ 
priate,  in  order  to  assist  in  their  efforts  to  protect  their  critical 
information  infrastructures  and  strengthen  their  cybersecu¬ 
rity.  These  UN  efforts  should  be  the  framework  for  the  crite¬ 
ria  for  determining  a  state’s  responsibility.  Without  American 
sponsorship,  enforcement  of  the  global  culture  of  cybersecurity 
will  not  work. 

The  WSIS  and  Global  Cybersecurity 

The  global  community  finalized  the  Declaration  of  Principles 
and  Plan  of  Action  for  the  information  society  at  two  convenings 
of  the  WSIS.  These  proceedings  were  unique  because  they  in¬ 
cluded  state  and  nonstate  actors.  Global  norms  of  behavior  for 
the  information  society  were  developed  in  the  lengthy  negotia¬ 
tions  leading  up  to  and  during  the  summits. 


46 


States  are  predominant  in  the  negotiations  in  the  Internet 
government  and  eyberseeurity  forums  being  held  by  the  UN. 
The  foundational  work  was  earried  out  in  the  preparatory  eom- 
mittees  and  the  regional  and  other  eonferenees  related  to  the 
WSIS.^^  The  preparatory  phases  were  the  most  important  sinee 
this  is  where  nation-states  voted  on  items  for  the  summits’ 
agendas,  the  proeesses  and  proeedures  of  the  summit,  and  the 
wording  of  the  final-outeome  doeuments  presented  and  final¬ 
ized  at  the  aetual  summits.  The  states  also  interaeted  with 
global  eivil-soeiety  aetors.  Regional  meetings  were  held  to  sup¬ 
plement  this  work  to  assure  that  eaeh  region  eould  voiee  its 
own  needs  and  expeetations  regarding  the  information  soeiety. 
By  these  means,  the  global  eommunity  has  established  gener¬ 
ally  aeeepted  norms  of  behavior  and  indieators  of  appropriate 
state  behavior  in  eyberspaee. 


Media 


civil  society  entities 
6,241 

32% 


Figure  11.  Number  of  participants  at  WSiS  as  of  18  November  2005. 

(Adapted  from:  “Number  of  participants  recorded  by  the  World  Summit  for 
the  Information  Society”  About  WSIS,  http://www.itu.int/wsis/tunis/newsroom 
/index. html.) 


47 


Figure  1 1  illustrates  the  broad  partieipation  in  the  WSIS  pro- 
eesses  held  under  the  auspiees  of  the  United  Nations  and  the 
ITU.  Originally  founded  in  the  mid-nineteenth  eentury  to  regu¬ 
late  international  telegraphy,  the  ITU  has  brought  government 
and  private  teleeommunieations  interests  together  to  negotiate 
standards,  development,  and  other  issues  pertaining  to  ICT. 
Private  ICT  eorporations  have  built  trust  over  time  as  aetive 
eontributors  to  the  ITU’s  program  of  work.  Although  business 
entities  do  not  have  voting  rights  at  the  ITU,  they  do  serve  as 
norm  entrepreneurs  who  artieulate  standards  of  behavior  and 
provide  agenda  items. 

The  main  doeuments  finalized  during  the  Geneva  phase  of 
the  summit  were  the  Declaration  of  Principles  and  the  Plan  of 
Action.  The  Tunis  Commitment  and  the  Tunis  Agenda  for  the 
Information  Society  reaffirmed  the  world’s  will  to  stimulate  a 
worldwide  information  soeiety  based  on  politieal  agreements. 

During  the  lead-up  to  the  WSIS,  the  United  Nations  Eeo- 
nomie  Commission  for  Europe  reported  on  ehallenges  to  the 
WSIS  proeess.  It  noted  that  eomplexities  and  eontroversies 
arising  from  the  proeess  were  due  not  only  to  development  is¬ 
sues,  but  also  to  politieal  questions  ineluding  the  issue  of  seeu- 
rity.^®  Furthermore,  the  eommission  noted  (in  2002)  that  “there 
is  a  growing  sense  of  fatigue  with  global  eonferenees  and  pro- 
eesses,  and  that  there  is  no  global  arehiteeture  for  inter¬ 
national  dialogue  on  knowledge  of  information  teehnologies.’’®® 
As  of  2012,  the  appropriate  global  arehiteeture  for  interna¬ 
tional  dialogue  eontinues  to  be  a  hotly  eontested  agenda  issue. 
As  an  inereasing  number  of  traek-two  diplomatie  initiatives 
ramp  up  (e.g.,  EastWest  Institute’s  Worldwide  Cyberseeurity 
Initiative),  eonferenee  fatigue  remains  a  key  eoneern. 

The  outeome  doeuments  of  the  WSIS  established  that  seeu- 
rity  is  the  foundation  of  the  information  soeiety.  Paragraph  five 
of  the  Geneva  Declaration  of  Principles  states  that  users  must 
have  eonfidenee  in  the  information  soeiety.  A  framework  of 
trust  that  ineludes  “information  seeurity  and  network  seeurity, 
authentieation,  privaey  and  eonsumer  proteetion”  must  be  es¬ 
tablished  to  assure  that  data,  privaey,  aeeess,  and  trade  are 
proteeted.'^®  The  WSIS  also  reeommended  that  appropriate  ae- 
tions  at  the  national  and  international  levels  should  be  taken 
to  seeure  eyberspaee  so  that  ICT  is  not  used  “for  purposes  that 


48 


are  inconsistent  with  the  objectives  of  maintaining  interna¬ 
tional  stability  and  security,  and  may  adversely  affect  the  in¬ 
tegrity  of  the  infrastructure  within  states. In  this  regard,  the 
Declaration  of  Principles  called  for  all  interested  stakeholders  to 
have  a  strong  commitment  to  “digital  solidarity”  with  govern¬ 
ments  at  the  national  and  international  level  and  recognized 
that  new  forms  of  partnership  will  be  required  in  order  to  meet 
the  goals  set  out  in  the  declaration. 

Participants  in  the  first  phase  of  the  WSIS  in  Geneva  also 
negotiated  and  agreed  on  a  Plan  of  Action.  In  section  C5. 12,  the 
WSIS  laid  out  the  actions  needed  to  reach  the  objectives  con¬ 
tained  in  paragraph  five  of  the  Declaration  of  Principles. Re¬ 
iterating  the  importance  of  security  and  its  role  in  developing 
users’  confidence  with  ICT,  the  Plan  of  Action  recommended 
private /public  partnerships  for  the  prevention,  detection,  and 
response  to  cyber  crime  and  ICT  misuse.  Governments  are  en¬ 
couraged  to  develop  guidelines  to  support  the  ongoing  efforts  in 
these  areas. 

The  Plan  of  Action  emphasized  the  “need  for  enhanced  coop¬ 
eration  in  the  future,  to  enable  governments,  on  an  equal  foot¬ 
ing,  to  carry  out  their  roles  and  responsibilities,  in  interna¬ 
tional  public  policy  issues  pertaining  to  the  Internet,  but  not  in 
the  day-to-day  technical  and  operational  matters,  that  do  not 
impact  on  international  public  policy  issues. 

The  work  at  the  UNGA  and  WSIS  has  established  a  global 
behavioral  baseline  of  responsible  activities  in  cyberspace.  It 
sets  forth  the  criteria  for  the  national  responsibilities  to  secure 
domestic  cyberspace  and  cooperating  in  a  community  to  pre¬ 
vent  the  use  of  cyberspace  by  malicious  actors. 

In  2011  the  White  House  released  the  US  International 
Strategy  for  Cyberspace.  This  document  echoes  much  of  the 
UNGA  and  WSIS  processes.  The  United  States  will 

expand  and  regularize  initiatives  focused  on  cybersecurity  capacity 
building — ^wlth  enhanced  focus  on  awareness-raising,  legal  and  technical 
training,  and  support  for  policy  development.  Such  programs  must  ad¬ 
dress  more  than  purely  technology  issues;  we  will  work  with  states  to 
recognize  the  breadth  of  the  cybersecurity  challenge,  assist  them  in 
developing  their  own  strategies,  and  build  capacity  across  the  whole 
range  of  sectors — from  network  security  and  the  establishment  of  Com¬ 
puter  Emergency  Readiness  Teams  (CERTs),  to  international  law  en- 


49 


forcement  and  defense  collaboration,  to  productive  relationships  with 

the  domestic  and  international  private  sector  and  civil  society. 

This  conforms  to  the  tenets  of  the  global  eulture  of  eyber- 
seeurity  and  indeed  eehoes  the  work  already  being  done  by 
IMPACT,  the  global  eulture  of  eyberseeurity’s  operational  arm, 
although  the  United  States  does  not  eurrently  support  it.  The 
IMPACT  Global  Response  Centre,  based  in  Cybeijaya,  Malaysia, 
was  set  up  in  2009  to  serve  the  international  eommunity  by 
proaetively  traeking  and  defending  against  eyber  threats.  Its 
alert  and  response  eapabilities  inelude  an  early  warning  sys¬ 
tem  that  enables  IMPACT  members  to  identify  and  head  off 
potential  and  imminent  attaeks.  Although  norms  of  eyber  be¬ 
havior  have  been  established,  what  is  missing  is  Ameriean 
sponsorship  of  those  norms.  The  United  States  should  more 
aetively  support  these  efforts  as,  in  the  words  of  John  Grimes, 
former  ehief  information  offieer  of  DOD,  IMPACT  “is  something 
that  is  sorely  needed.  .  .  .  [It’s]  filled  an  important  international 
gap  in  eyber  response  and  eooperation.”^® 

Internationally  Wrongful  Acts  in  Cyberspace 

The  law  of  state  responsibility  is  very  eomplieated  and  took 
three  deeades  to  develop.  In  August  2001  the  International  Law 
Commission  adopted  the  Draft  Articles  on  the  Responsibility  of 
States  for  Internationally  Wrongful  Acts,  whieh  have  established 
the  prtneiple  of  state  responsibility  in  international  law.  State 
responsibility  ean  be  extended  if  the  nature  of  a  eyber  attaek  is 
sueh  that  malieious  data  paekets  are  traeed  baek  to  national 
territory.  Chapter  2,  artiele  4,  states  that  “the  eonduet  of  any 
State  organ  shall  be  eonsidered  an  aet  of  that  State  under  in¬ 
ternational  law,  whether  the  organ  exereises  legislative,  exeeu- 
tive,  judieial  or  any  other  funetion,  whatever  position  it  holds  in 
the  organization  of  the  State,  and  whatever  its  eharaeter  as  an 
organ  of  the  eentral  Government  or  of  a  territorial  unit  of  the 
State. State  responsibility  might  be  extended  to  eyber  at¬ 
taeks  from  national  territory  as  an  aeeepted  prineiple  of  due 
diligenee  under  the  global  eulture  of  eyberseeurity.  That  is, 
state  responsibility  eould  be  inferred,  maybe,  in  an  aet  of  omis¬ 
sion  (as  opposed  to  an  aet  of  eommission). 


50 


Furthermore,  artiele  5  states  that  “the  eonduet  of  a  person  or 
entity  whieh  is  not  an  organ  of  the  State  under  artiele  4  but 
whieh  is  empowered  by  the  law  of  the  State  to  exereise  ele¬ 
ments  of  the  governmental  authority  shall  be  eonsidered  an  aet 
of  the  State  under  international  law,  provided  the  person  or 
entity  is  aeting  in  that  eapaeity  in  the  partieular  instanee.”'^® 

How  ean  we  hold  a  state  responsible  for  aetivities  in  eyber- 
spaee?  Some  arguments  foeus  on  tests  for  the  degree  of  eontrol 
the  state  might  have  had  over  nonstate  aetors  within  their  ter¬ 
ritory  to  establish  overall  and  effeetive  eontrol.'^®  Past  preeedent 
within  the  United  Nations  suggests  that  nonstate  aetors  fune- 
tion  as  de  faeto  agents  of  the  state  if  the  state  is  harboring 
them.  After  9/11,  NATO  attaeked  al-Qaeda  and  the  Taliban.  No 
one  thought  that  the  Taliban  had  eontrol  over  al-Qaeda,  but 
they  were  not  preventing  it  the  use  of  Afghan  territory.  The  in¬ 
ternational  eommunity  aeeepted  intervention  against  a  state 
for  the  aetions  of  nonstate  aetors  in  part  beeause  the  UN  Seeu- 
rity  Couneil  had  voted  on  Resolution  1267  in  1999  that  plaeed 
sanetions  on  both  al-Qaeda  and  the  Taliban  in  Afghanistan. 

Sponsorship  of  “illegal”  aets  and  aetual  eontrol  over  the  non¬ 
state  aetors  within  national  territory  are  important  here.  For 
example,  if  a  state  provides  haeker  tools  online  and  eneourages 
haekers  to  use  those  tools  to  perpetrate  attaeks,  then  the  state 
is  eulpable  for  the  haekers’  aetions.  However,  the  level  of  offi- 
eial  involvement  is  most  often  diffieult  to  diseern — mueh  less 
prove.  This  is  why  the  responsibility  to  respond,  as  stated  in 
UNGA  resolutions,  is  an  important  norm  to  sponsor  and  en- 
foree.  In  the  Estonia  eyber  attaek  ease  of  2007,  patriotie  haek¬ 
ers  in  Russia  were  launehing  attaeks  against  Estonia;  however, 
sinee  the  Russian  government  was  not  openly  eneouraging  the 
haekers,  Russia  eould  not  be  held  responsible  under  the  law  of 
state  responsibility.  At  the  same  time,  it  was  not  responding  to 
requests  for  assistanee,  eontrary  to  its  support  of  the  tenets  of 
the  global  eulture  of  eyberseeurity  in  UNGA  and  the  ITU. 

Global  norms  artieulated  in  the  UNGA  ean  serve  to  establish 
levels  of  state  responsibility  in  a  eyber  attaek.  Although  present 
international  law  does  not  explieitly  address  malieious  eyber 
ineidents,  an  argument  ean  be  made  that  the  UNGA  and  other 
UN  efforts  related  to  global  eyberseeurity  establish  the  base¬ 
lines  for  state  responsibilities  in  eyberspaee. 


51 


Notes 


1.  Westby,  “Conclusion.” 

2.  For  an  important  critique  of  the  contemporary  realist  approach  on  the 
grounds  that  it  fails  to  link  power  to  influence,  see  Lebow,  “Power,  Persuasion 
and  Justice.” 

3.  Finnemore  and  Sikklnk,  “International  Norm  Dynamics  and  Political 
Change,”  899. 

4.  Ibid. 

5.  Reich  and  Yannakogeorgos,  Global  Norms,  American  Sponsorship,  and 
the  Emerging  Pattern  of  World  Politics,  3. 

6.  Ibid.,  4. 

7.  While  there  are  suggestions  to  use  models  based  on  counterterrorism 
efforts,  such  models  should  be  avoided.  Based  on  discussions  in  International 
forums,  such  as  the  EastWest  Institute’s  Worldwide  Cybersecurity  Initiative  in 
London  in  June  2011  (which  the  author  attended),  equating  cyber  crime  with 
terrorism  is  a  controversial  approach  that  will  not  promote  cooperation. 

8.  For  a  more  comprehensive  account  of  the  Trafficking  Victims  Protection 
Act,  see  Reich  and  Yannakogerogos,  “George  Bush  and  the  Sponsoring  of  the 
Anti-Trafficking  Norm.” 

9.  Note  that  if  a  similar  mechanism  were  created,  there  is  a  contrast  in 
cyberspace.  Although  the  Department  of  State  (DOS)  is  uniquely  positioned 
to  collect  information  from  nongovernmental  organizations  (NGO)  on  human 
trafficking,  the  technical  nature  of  cyberspace  makes  the  DOD  the  more  suit¬ 
able  element  of  national  power  to  collect  information  on  cyber  compliance. 

10.  Further,  in  January  2006,  President  Bush  signed  H.R.  972,  the  Traf¬ 
ficking  Victims  Protection  Reauthorization  Act.  This  amended  the  original 
Trafficking  Victims  Protection  Act  further  by  increasing  assistance  to  foreign 
victims  trafficked  to  the  United  States,  increasing  focus  on  children,  and  di¬ 
recting  relevant  US  agencies  to  develop  antltrafficktng  strategies  for  postconflict 
and  humanitarian  crisis  areas.  It  also  extended  US  extraterritoriality  for  US 
government  workers  and  contractors  who  are  involved  in  “acts  of  trafficking,” 
addressing  the  problems  of  peacekeeper  and  aid  personnel  who  are  “com- 
plicit”  in  trafficking.  See  Department  of  Justice,  Assessment  of  U.S.  Govern¬ 
ment  Efforts  to  Combat  Trafficking  in  Persons  in  Fiscal  Year  2004,  13-14. 

11.  DOS,  Charter  and  Amendments. 

12.  Concurrent  with  these  legal  efforts,  the  United  States  aggressively 
pursues  regional  and  multilateral  initiatives.  It  was  an  instrumental  force  in 
the  UN  Commission  on  the  Status  of  Women’s  adoption  of  the  trafficking 
resolution.  See  UN  Commission  on  the  Status  of  Women,  “Eliminating  De¬ 
mand  for  Trafficked  Women  and  Girls  for  All  Forms  of  Exploitation.” 

13.  DOS,  Working  for  Women.  The  document  was  prepared  for  the  10th 
anniversary  of  the  Beijing  Declaration  of  the  UN  Commission  on  the  Status 
of  Women. 

14.  Mlko,  Trafficking  in  Persons,  8-14. 

15.  “America  Will  Not  Tolerate  Slave  Traders,  Bush  Says,”  America  in 
Context,  9,  6. 


52 


16.  See  “Though  Obama  Viewed  Positively,  StiU  Much  Criticism  of  US  Foreign 
Policy,”  World  Public  Opinion.org. 

1 7.  Ghernouti-Helie,  A  National  Strategy  for  an  Effective  Cybersecurity  Ap¬ 
proach  and  Culture. 

18.  Gady,  “Africa’s  Cyber  WMD  [Weapons  of  Mass  Destruction].” 

19.  US  Secretary  of  State  Hillaiy  Clinton  gave  a  speech  on  Internet  free¬ 
dom  in  which  she  stated. 

The  spread  of  information  networks  is  forming  a  new  nervous  system  for 
our  planet.  .  .  .  States,  terrorists,  and  those  who  would  act  as  their  prox¬ 
ies  must  know  that  the  United  States  will  protect  our  networks.  Those 
who  disrupt  the  free  flow  of  information  in  our  society  or  any  other  pose 
a  threat  to  our  economy,  our  government,  and  our  civil  society.  Countries 
or  individuals  that  engage  in  cyber  attacks  should  face  consequences  and 
international  condemnation.  In  an  internet-connected  world,  an  attack 
on  one  nation’s  networks  can  be  an  attack  on  all.  And  by  reinforcing  that 
message,  we  can  create  norms  of  behavior  among  States  and  encourage 
respect  for  the  global  networked  commons. 

Clinton,  “Remarks  on  Internet  Freedom.” 

20.  Council  of  Europe,  Convention  on  Cybercrime. 

21.  World  Summit  for  the  Information  Society  (WSIS),  DeclcirationofPririciples. 

22.  UN  General  Assembly  (UNGA),  “Developments  in  the  Field  of  Information 
and  Telecommunications  in  the  Context  of  International  Security,”  A/RES/56/ 19, 
preHmtnaiy  para.  7. 

23.  Ibid.,  preliminary  paras.  7  and  8. 

24.  Ibid.,  operation  para.  1. 

25.  UNGA,  “Combating  the  Criminal  Misuse  of  Information  Technologies,” 
preliminaiy  para.  5. 

26.  Ibid.,  preliminaiy  para.  6. 

27.  Ibid.,  preliminary  paras.  8  and  11. 

28.  UNGA,  “Creation  of  a  Global  Culture  of  Cybersecurity.” 

29.  Ibid.,  preliminary  para.  5. 

30.  Ibid.,  preliminary  paras.  7  and  8. 

31.  UNGA,  “Creation  of  a  Global  Culture  of  Cybersecurity  and  the  Protec¬ 
tion  of  Critical  Information  Infrastructures.” 

32.  Ibid.,  “Annex:  Elements  for  Protecting  Critical  Information  Infrastruc¬ 
tures,”  preliminary  para.3. 

33.  UNGA,  “Developments  in  the  Field  of  Information  and  Telecommuni¬ 
cations  in  the  Context  of  International  Security,”  A/RES/60/45. 

34.  Indicative  of  the  broad  representation  are  the  15  nation-states  from 
which  representatives  were  appointed  from  Brazil,  China,  Estonia,  France, 
Germany,  India,  Israel,  Italy,  Qatar,  the  Republic  of  Korea,  the  Russian 
Federation,  South  Africa,  the  United  Kingdom,  and  the  United  States. 

35.  UNGA,  Group  of  Governmental  Experts  on  Developments  in  the  Field  of 
Information  and  Telecommunications  in  the  Context  of  International  Security,  8. 

36.  UNGA,  “Creation  of  a  Global  Culture  of  Cybersecurity  and  Taking 
Stock  of  National  Efforts  to  Protect  Critical  Information  Infrastructures.” 


53 


37.  Yannakogeorgos,  “Cyberspace.” 

38.  UN  Economic  Commission  for  Europe  (UNECE),  Information  Society  in 
Europe  and  North  America,  3. 

39.  Ibid. 

40.  Ibid.,  para.  5.35. 

41.  Ibid.,  para.  5.36. 

42.  WSIS,  Plan  of  Action,  section  C5.12. 

43.  WSIS,  Tunis  Agenda  for  the  Information  Society,  para.  69. 

44.  The  White  House,  International  Strategy  for  Cyberspace,  Prosperity, 
Security,  and  Openness  in  a  Networked  World,  15. 

45.  Westby,  “US  Administration’s  Reckless  Cyber  Policy  Puts  Nation  at  Risk.” 

46.  Ibid. 

47.  UN,  Responsibility  of  States  for  Internationally  Wrongful  Acts,  2001, 
pt.  1,  chap.  2,  art.  4. 

48.  Ibid.,  art.  5. 

49.  Shackelford,  “State  Responsibility  for  Cyber  Attacks.” 


54 


Chapter  4 


A  Framework  for  Development, 
Diplomacy,  and  Defense 

The  subject  of  this  chapter  is  a  possible  framework  to  guide 
US  statecraft  in  cyberspace  based  on  the  antitrafficking  initia¬ 
tives  the  United  States  sponsored  in  the  past  decade.  As  has 
been  noted  throughout  this  work,  nation-states  are  not  cur¬ 
rently  held  culpable  for  the  actions  of  malicious  agents  in  cy¬ 
berspace.  The  United  States-China  Economic  and  Security  Re¬ 
view  Commission  recently  stated  that  “even  if  circumstantial 
evidence  points  to  China  as  the  culprit,  no  legislation  or  policy 
currently  exists  to  easily  determine  appropriate  response  options 
to  attacks  on  U.S.  military  or  civilian  networks  in  which  defini¬ 
tive  attribution  is  lacking.  Beijing,  understanding  this,  could 
easily  exploit  such  gray  areas  in  U.S.  policymaking  and  legal 
frameworks  to  create  delays  in  U.S.  command  decision  mak¬ 
ing.”^  A  framework  for  responding  to  a  range  of  state  activity  in 
cyberspace  is  required — not  only  going  after  the  people  com¬ 
mitting  wrongful  acts  in  cyberspace,  but  acting  against  the 
state  that  is  responsible  for  either  promoting  or  allowing  mali¬ 
cious  cyber  activities. 

Cyber  statecraft  specialist  Jason  Healey  developed  a  taxon¬ 
omy  of  a  range  of  actions  for  state  responsibility.^  It  provides  a 
useful  framework  for  categorizing  state  actions  regarding  cyber 
attacks.  I  have  used  it  as  a  starting  point  for  developing  a 
broader  response  framework  for  actions  or  inactions  in  re¬ 
sponding  to  a  range  of  cyber  incidents.  Table  4  combines  the 
Healy  taxonomy  with  a  framework  for  development,  diplomacy, 
and  defense. 

In  the  range  of  state  activities  above,  there  are  three  phases 
of  response  within  the  categorization  of  state  action  that  could 
potentially  guide  cyber  statecraft  responses  by  the  US. 

State-prohibited  cyber  attacks  are  those  which  a  state  has 
laws  against  and  for  which  it  has  enforcement  mechanisms  in 
place  but  which  may  occur  anyway.  If  cyber  attacks  occur  de¬ 
spite  prohibition,  the  state  is  nevertheless  in  violation  of  its 
responsibility  to  prevent  use  of  its  territory  against  other  states. 


55 


Table  4.  US  cyber  retaliation  framework 


Range  of  State  Activity 

Development 

Diplomacy 

Defense 

State  prohibited 

X 

State  prohibited  but  inadequate 

X 

State  ignored 

X 

X 

State  encouraged 

X 

State  shaped 

X 

State  coordinated 

X 

State  ordered 

X 

State-rogue  conducted 

X 

State  executed 

X 

State  integrated 

X 

Adapted  from  Jason  Healey,  “Beyond  Attribution:  A  Vocabulary  for  National  Responsibility  for 
Cyber  Attacks"  (Vienna,  VA:  Cyber  Conflict  Studies  Association,  2010).  The  cyber  retaliation  frame¬ 
work  is  Dr.  Yannakogeorgos’s  addition  to  a  taxonomy  for  nation-state  actions  adapted  from  categories 
of  nation-states  in  “Beyond  Attribution.” 


but  the  state  eould  be  eligible  for  US  aid  in  eombating  eyber 
erime.  Refusing  aid  would  then  plaee  the  state  in  a  subsequent 
eategory  for  response. 

This  seeond  range  for  response  options  is  one  in  whieh  sane- 
tions  are  either  authorized  bilaterally  or  pursued  multilaterally 
and  diplomatieally.  If  there  is  some  state  involvement,  then  US 
eountermeasures  eould  be  justified  as  well. 

The  standards  of  overall  and  effeetive  eontrol  of  eyber  aetivity 
within  and  emanating  from  a  sovereign  territory  are  eurrently 
used  to  attribute  state  behavior.  While  useful  guides,  these 
standards  do  not  eompletely  resolve  the  attribution  problem 
sinee  there  is  no  established  ease  law  where  states  have  been 
held  responsible  for  eyber  attaeks.  The  effeetive  eontrol  stan¬ 
dard  requires  proof  of  state  involvement  without  any  reason¬ 
able  doubt.  ^  The  problem  is  that  this  standard  relies  on  a  world 
where  perfeet  attribution  exists — a  world  in  whieh  states  have 
perfeet  evidenee  to  attribute  the  attaek.  This  world  does  not  ex¬ 
ist.  On  the  other  hand,  the  world  where  the  overall  eontrol 
standard  allows  vietims  to  hold  states  responsible  for  damages 
does  exist  and  governments  must  be  made  aware  of  their  obli¬ 
gations  and  the  implieations  of  failure  to  eomply  with  their  re¬ 
sponsibilities  under  international  law. 


56 


Development,  Diplomacy,  and  Defense  Responses 

This  section  introduces  a  framework  based  on  sponsored 
global  norms. The  development,  diplomacy,  and  defense  struc¬ 
ture  articulated  within  the  White  House’s  recent  International 
Cyber  Strategy  is  a  positive  step  toward  American  sponsorship 
of  global  norms.  As  has  been  noted,  embarking  on  a  path  that 
diverges  from  the  accepted  global  culture  of  cybersecurity  es¬ 
tablished  within  the  ITU  will  result  in  noncooperation  and  the 
United  States  being  perceived  as  imperialist.^  Indeed,  this  al¬ 
ready  seems  to  be  the  case.  Closed  forums  such  as  the  Organi¬ 
zation  for  Economic  Cooperation  and  Development  (OECD), 
which  is  being  pursued  as  a  vehicle  to  forward  US  Internet 
policy,  wiU  not  promote  global  cooperation  for  the  security  of 
the  cyber  commons  except  among  already  like-minded  devel¬ 
oped  states.  A  way  forward  would  be  for  like-minded  states  to 
use  the  OECD  and  other  regional  councils  to  develop  common 
positions  from  which  they  can  negotiate  at  the  ITU.  In  this  way, 
the  United  States  could  begin  to  manage  the  cyber  behaviors  of 
states  with  broad  support  and  cooperation  with  the  interna¬ 
tional  community.  Development,  diplomacy,  and  defense  could 
then  be  within  US  sponsorship  of  global  policy  initiatives. 

Development 

Not  aU  coimtries  have  an  equal  capaciiy  for  investigating  cyber 
events.  They  need  assistance  to  help  stem  the  flow  of  malicious 
activities  through  their  borders.  The  ITU  issues  a  Toolkit  for 
Cybercrime  Legislation  that  countries  may  use.®  This  is  one 
way  to  provide  technical  assistance  and  education  to  all  aspects 
of  socieiy,  especially  to  government  and  law  enforcement  officials. 

The  White  House’s  International  Strategy  for  Cyberspace 
states  that  the  United  States 

will  expand  and  regularize  initiatives  focused  on  cybersecurity  capacity 
building — with  enhanced  focus  on  awareness-raising,  legal  and  technical 
training,  and  support  for  policy  development.  Such  programs  must  ad¬ 
dress  more  than  purely  technology  Issues;  we  will  work  with  states  to 
recognize  the  breadth  of  the  cybersecurity  challenge,  assist  them  in 
developing  their  own  strategies,  and  build  capacity  across  the  whole 
range  of  sectors — from  network  security  and  the  establishment  of  Com¬ 
puter  Emergency  Readiness  Teams  (CERTs),  to  international  law 


57 


enforcement  and  defense  collaboration,  to  productive  relationships 

with  the  domestic  and  international  private  sector  and  civil  society.^ 

This  echoes  several  of  the  elements  of  the  global  culture  of 
cybersecurity,  as  well  as  the  work  being  done  within  the  ITU’s 
IMPACT  With  US  sponsorship  these  endeavors  could  be  under¬ 
taken  within  existing  multilateral  institutions.  The  existing  in¬ 
stitutional  frameworks,  such  as  those  being  developed  at  IMPACT, 
could  be  used  to  avoid  duplicating  efforts  within  frameworks 
accepted  by  other  countries.  This  would  also  avoid  the  risk  of 
the  United  States  appearing  imperialistic. 

Diplomacy 

To  offer  technical  assistance  and  development,  partnerships 
with  countries  need  to  be  established  on  the  basis  of  trust  and 
confidence.  The  White  House  strategy  notes,  “As  countries  de¬ 
velop  a  stake  in  cyberspace  issues,  we  intend  our  dialogues  to 
mature  from  capacity-building  to  active  economic,  technical, 
law  enforcement,  defense  and  diplomatic  collaboration  on  is¬ 
sues  of  mutual  concern.”®  The  strategy  also  clearly  articulates 
that  the  White  House  will  take  steps  to  “facilitate  relationships 
among  countries  developing  cybersecurity  capacity — using 
both  regional  fora  and  technical  bodies  possessing  specialized 
expertise — and  will  continue  to  promote  the  sharing  of  best 
practices,  lessons  learned,  and  international  technical  ex¬ 
changes.”^  While  these  are  positive  words,  the  United  States 
should  abandon  the  practice  of  forum  picking.  Despite  the 
shortcomings  of  the  ITU,  the  United  States  must  lead  within 
this  institution  to  assure  that  others  follow. 

The  DOD  and  the  Air  Force  with  its  global  mission  also  have 
roles  to  play  in  this  diplomacy.  The  2011  National  Military 
Strategy  mamtamed  that  the  DOD  is  essential  in  fostering  re¬ 
gional  and  international  cooperation  in  response  to  trans¬ 
national  threats.  For  example,  cooperative  security  could  be 
further  developed  by  tunneling  transnational  threats  through 
combatant  commanders  who  can  leverage  their  resources 
“tailor[ed]  to  their  region  and  coordinate[d]  across  regional 
seams. The  Air  Force  conducts  an  array  of  diplomatic  mis¬ 
sions  established  in  the  Air  Force  Security  Cooperation  Strategy 
and  offers  many  additional  irregular  and  ad  hoc  diplomatic 


58 


missions.  Given  its  cyber  technical  expertise,  the  Air  Force 
would  be  optimally  positioned  to  assist  nations  in  their  develop¬ 
ment — ^with  foreign  officer  cybersecuriiy  training  within  its  Air  Uni¬ 
versity — and  in  building  international  partnerships  for  exchang¬ 
ing  technical  information  on  cyber  attacks.  Since  the  Air  Force 
was  the  first  to  stand  up  a  cyber  command,  Air  Force  experi¬ 
ence  would  be  useful  in  assisting  friends  and  allies  in  standing 
up  their  own  cyber  commands. 

More  rigorous  diplomatic  initiatives  could  also  be  directed 
toward  states  that  choose  to  continue  down  the  path  of  ignor¬ 
ing,  encouraging,  shaping,  and/or  coordinating  cyber  attacks. 
The  US  policy  community  could  explore  a  framework  for  invok¬ 
ing  chapter  7  of  the  UN  Charter  to  authorize  sanctions  against 
countries  that  fail  to  abide  by  global  norms  of  behavior  in 
cyberspace.  Proposals  for  new  legal  mechanisms  to  combat 
cybercrime  and  global  cyber  attacks  have  also  been  sug¬ 
gested.  However,  these  will  be  long-term  legal  efforts  similar 
to  the  UN  Convention  on  the  Law  of  the  Sea  and  International 
Court  of  Justice  processes;  the  same  controversy  surrounding 
the  latter  would  likely  exist  with  the  formation  of  cyber  legal 
mechanisms. 

Both  soft  and  coercive  diplomacy  thus  could  serve  to 
strengthen  the  role  of  capacity -building  initiatives.  They  also 
provide  institutional  frameworks  for  cooperation  among  like- 
minded  countries  wishing  to  benefit  from  a  trustworthy  cyber 
environment.  States  can  be  held  responsible  for  their  actions 
by  eliminating  the  option  of  plausible  deniability. 

Defense 

Inevitably,  the  United  States  will  face  adversaries  who  are 
ordering,  executing,  and  integrating  attacks  or  cooperating 
with  rogue  entities.  The  US  military  leadership  has  purposed  to 
“be  prepared  to  demonstrate  the  will  and  commit  the  resources 
needed  to  oppose  any  nation’s  actions  that  jeopardize  access  to 
and  use  of  the  global  commons  and  cyberspace,  or  that  threaten 
the  security  of  our  allies. Defensive  options  in  the  face  of  cyber 
attack  could  include 

•  throttling  Internet  traffic. 


59 


•  blocking  Internet  traffie, 

•  offensive  eomputer  operations  in  hot  pursuit,  or 

•  kinetie  attaeks  in  response  to  eyber  events  of  national 
signifieanee. 

It  is  important  to  note  that  responses  one  and  two  above  are 
not  easy  given  that  the  private  seetor  eontrols  the  infrastrue- 
ture  of  the  Internet.  Additionally,  sinee  an  argument  eould  be 
made  that  sueh  measures  are  eontrary  to  the  free  flow  of  infor¬ 
mation  aeross  the  global  networks,  a  proper  poliey  framework 
is  needed  to  establish  the  eonditions  in  whieh  throttling  or 
bloeking  Internet  traffie  eould  be  justified.  Sanetions,  bloeking, 
throttling  of  traffie,  and  other  aetions  short  of  war  eould  all  be 
taken.  Confliet  in  eyberspaee  that  esealates  into  kinetie  attaeks 
eould  oeeur  if  the  effeets  of  eyber  attaek  are  eonsequential 
enough— attaeks  against  eriheal  tnfrastruetures  that  ereate  effeets 
of  national  signifieanee.  Riehard  Clarke  in  his  book  Cyber  War 
offers  many  sueh  hypothetieal  seenarios.^'^  Response  to  eyber 
attaek  would  be  a  poliey  deeision,  not  an  automatie  response. 
States  engaged  in  eyber  warfare  might  not  even  mask  their  ae- 
tivities,  thereby  obviating  the  attribution  ehallenge  altogether.^® 

A  Need  for  Norms  on  Cyber  Weapons 

While  global  norms  have  been  artieulated  regarding  eriminal 
and  terrorist  eyber  aetivities,  none  have  been  devised  regarding 
the  design  and  use  of  eyber  weapons.  Stuxnet  was  a  proof  of 
eoneept  attaek  against  SCADA  and  ICS.  Just  beeause  the 
United  States  was  not  the  apparent  target  does  not  mean  that 
it  will  not  be  in  the  future.  Rumors  aside,  it  is  still  unelear  who 
launehed  Stuxnet — the  malieious  worm  software  that  eaused 
Iranian  nuelear  eentrifuges  to  spin  out  of  eontrol.  However,  it 
was  a  well-designed  eyber  weapon  that  did  not  eause  global  effeets. 
Indeed,  if  Iranian  elaims  are  to  be  believed,  its  effeets  were  re¬ 
versed  and  Iran’s  nuelear  program  is  baek  on  traek.^^ 

The  United  States  eould  begin  advoeating  norms  of  respon¬ 
sible  eyber  weapon  development.  If  properly  designed,  the  ef- 
feet  of  a  eyber  weapon  ean  be  reversed.  For  instanee,  aeeording 
to  Geneva  Convention  diseussions  on  eyberspaee,  the  effeets 
produeed  in  ball  bearing  faetories  eould  be  sueh  that  they  eould 


60 


be  reversed  upon  war  termination.  Neil  Rowe’s  framework  for 
ethieal  eyber  weapon  design,  below,  is  one  good  plaee  to  start. 
He  deseribes  several  reversible  ways  that  attaekers  attempt  to 
foil  their  vietims,  ineluding 

1 .  enerypting  key  software  and  data  so  that  vietims  are  un¬ 
able  to  deerypt  it; 

2.  obfuseating  systems  via  data  manipulations  that  are  hard 
to  understand  yet  algorithmie  and  reversible; 

3.  withholding  key  information  that  is  important  to  the  vie- 
tim;  [and] 

4.  deeeiving  vietims  to  make  them  think  their  systems  are 
not  operational  when  they  aetually  are.^® 

As  Rowe  deseribes,  “In  the  first  two  eases,  reversal  ean  be 
aehieved  by  software  operations  by  the  attaeker;  in  the  third 
ease,  the  attaeker  ean  restore  missing  data;  and  in  the  fourth 
ease,  the  attaeker  ean  reveal  the  deeeption.”^^  The  DOD  eould 
begin  promoting  this  sort  of  norm  of  eyber  weapons  develop¬ 
ment  by  adopting  some  of  these  measures  if  it  ehooses  to  eon- 
duet  an  offensive  eyber  operation.  Sueh  a  norm  would  make 
attaeks  direetly  traeeable  to  an  attaeker  and  make  for  more 
responsible  eyber  weapons. 

Adequate  international  norms  of  eyber  behavior  exist,  and 
the  United  States  has  a  role  to  play  in  the  sponsorship  of  these 
norms.  I  have  deseribed  a  taxonomy  for  state  responsibility 
and  the  possible  role  of  the  United  States  in  eyber  warfare 
poliey  development,  diplomaey,  and  defense.  The  objeets  of  all 
of  this  are  to  ereate  a  framework  for  state  responsibility  and  to 
reduee  the  gaps  in  international  eooperation  and  domestie  laws 
that  undermine  global  eyberseeurity.  The  time  is  at  hand  to 
disallow  plausible  deniability  and  to  promote  the  global  norms 
of  eyber  behavior. 

Language  for  “Victims  of  Trafficking  in 
Malicious  Code”  Legislation 

What  is  required  for  US  government  sponsorship  is  US  legis¬ 
lation  to  mandate  international  engagement  on  eyber  erime. 
Current  draft  legislation,  sueh  as  the  Cyberseeurity  Aet  of 


61 


2012,  is  indicative  of  movement  in  Congress  toward  this.  Seetions 
of  the  bill  inelude  provisions  for  the  eoordination  of  inter¬ 
national  eyber  issues  with  the  US  government,  eonsideration 
of  eyber  erime  in  foreign  poliey,  and  foreign  assistanee  pro¬ 
grams.^®  Overall,  what  is  needed  is  engagement  in  multilat¬ 
eral  and  bilateral  diplomaey  to  develop  international  eoopera- 
tion  and  development  to  enhanee  foreign  nation  eapabilities 
to  eombat  eyber  threats. 

One  differenee  between  the  TVPA  model  and  a  potential  ad¬ 
aptation  of  it  for  eyber  attaeks  is  that  the  DOD  should  be  man¬ 
dated  to  serve  as  the  elearinghouse  for  data  pertaining  to  state 
behavior  and  eyber  attaeks.  Current  draft  legislation  plaees  the 
overarehing  international  engagement  strategy  within  the  US 
Department  of  State.  With  human  traffieking,  the  sourees  of 
information  are  NGOs  with  whom  the  DOS  maintains  elose  af¬ 
filiations  by  its  diplomatie  work.  The  DOD  has  the  teehnieal 
eapaeity  and  relationships  with  private  entities  to  report  on 
state  eyber  behaviors  and  investigation  eapaeities.  The  DOD 
should  provide  annual  reports  modeled  on  the  TIP  reports  to 
deseribe  the  eompUanee  with  relevant  global  polieies  in  the  UNGA’s 
global  eulture  of  eyberseeurity.  The  US  Air  Foree  in  partieular 
is  the  most  suited  to  provide  its  best  praetiees  and  lessons 
learned  to  nations  requiring  developmental  assistanee. 

Further  steps  need  to  be  taken  in  legislation  drafted  by  Con¬ 
gress  similar  to  the  TVPA  to  guide  the  government’s  efforts  to 
name  and  shame  eountries  misbehaving  in  eyberspaee.  The 
following  elements  should  be  ineluded  as  minimum  standards 
of  making  serious  and  sustained  efforts  to  eliminate  eyber 
erime  (see  also  fig.  12): 

•  Review  and  update  legislation  and  regulations  for  the  in¬ 
vestigation  and  proseeution  of  eyber  erime,  ineluding  ex¬ 
tradition  measures  that  may  be  outdated  or  obsolete. 

•  Determine  key  eyberseeurity  stakeholders  in  national  and 
loeal  governments,  industry,  eivil  soeiety,  and  aeademia  for 
the  development  of  networks  and  proeesses  of  interna¬ 
tional  eooperation  to  enhanee  ineident  response  and  eon- 
tingeney  planning. 

•  Assure  that  proseeutors,  judges,  and  legislators  have  an 
adequate  level  of  understanding  of  eyber  issues. 


62 


•  Create  government  points  of  eontaet  to  monitor  data  pat¬ 
terns  for  evidenee  of  malieious  eyber  aetivities. 

•  Create  24/7  international  eyber  erime  eontaets  (CERT/ 
CSIRT)  to  eooperate  with  international  eounterparts  for  in¬ 
vestigating  transnational  and  international  malieious 
eyber  events. 

•  Preseribe  punishment  eommensurate  with  that  for  grave 
erimes,  sueh  as  eriminal  behavior  or  armed  attaeks,  for 
any  eyber  attaek  involving  government  offieials. 

•  Preseribe  punishment  that  is  suffieiently  stringent  to  deter 
and  that  adequately  refleets  the  reality  of  the  offense  for 
individuals  engaged  in  malieious  eyber  behavior  within 
sovereign  territory. 


Figure  12.  Model  of  a  Tier-one  country 


63 


Additionally,  the  following  should  be  eonsidered  as  indiea- 
tions  of  serious  and  sustained  efforts  to  eliminate  eyber  erime 
and  eyber  attaeks  from  a  eountry: 

•  Monitoring  of  data  patterns  for  evidenee  of  malieious  eyber 
aetivities. 

•  Effeetive  response  of  law  enforeement  ageneies  to  evidenee 
of  eyber  erime. 

•  Vigorous  investigation  and  proseeution  of  aets  of  eyber 
erime  within  the  sovereign  territory. 

•  Vigorous  investigation,  proseeution,  eonvietion,  and  sen- 
teneing  of  all  publie  offieials  who  partieipate  in  or  faeilitate 
eyber  attaeks. 

•  Provision  of  data  regarding  eyber  erime  investigations, 
proseeutions,  eonvietions,  and  sentenees  on  request. 

•  Cooperation  with  other  governments  in  the  investigation 
and  proseeution  of  eyber  erime. 

•  Extradition  of  persons  eharged  with  malieious  eyber  aets. 

•  Informing  and  edueating  the  publie,  ineluding  potential 
vietims,  about  the  eauses  and  eonsequenees  of  eyber  erime. 

•  Equal  eyber  erime  proteetion  for  all  within  sovereign 
territory. 

As  reported  in  the  DOD’s  2010  Quadrennial  Defense  Review 
Report,  the  2011  Department  of  Defense  Strategy  for  Operating 
in  Cyberspace,  and  the  White  House’s  2011  International 
Strategy  for  Cyberspace  and  2010  National  Security  Strategy, 
strengthening  international  partnerships  to  seeure  the  eyber 
domain  requires  an  understanding  of  what  gaps  exist  in  the 
eapabilities  of  our  international  partners  within  the  teehnieal, 
legal,  and  organizational  domains. Identifying  these  gaps  and 
their  root  eauses  will  provide  the  US  poliey  eommunity  with  the 
knowledge  required  to  support  our  partners  to  strengthen  their 
national  eyberseeurity,  thereby  eontributing  to  a  eyber  envi¬ 
ronment  less  hospitable  to  attempts  to  misuse  eyberspaee. 


64 


Leading  by  Example:  US-Based 
Entities’  Responsibility 

In  addition  to  holding  countries  responsible,  the  US  govern¬ 
ment  needs  to  understand  that  it  has  its  own  role  to  play  in 
seeuring  the  global  eommons.  Industry  is  likely  to  vigorously 
push  baek  against  regulatory  efforts.  With  the  potential  power 
of  destruetive  aetivities,  both  in  the  eeonomie  sense  and  the 
military  sense,  it  is  high  time  that  relianee  on  industrial  volun- 
teerism  be  serapped  and  replaeed  with  a  regulation  providing 
ineentives  and  punishments  to  eneourage  standards  for  eyber- 
seeurity.  Regulations  must  be  erafted  on  the  basis  of  polieies 
informed  by  teehnieal  realities  to  assure  a  positive  impaet.  Do¬ 
ing  so  will  legitimize  the  United  States  as  a  leader  in  the  fight 
to  hold  other  states  responsible  for  eyberseeurity  while  provid¬ 
ing  greater  eyberseeurity  for  the  Ameriean  publie. 

US-Based  Internet  Intermediaries 

Germany,  Japan,  and  other  eountries  have  developed  part¬ 
nerships  to  eneourage  ISPs  to  voluntarily  notify  subseribers 
whose  eomputers  are  suspeeted  of  being  infeeted  by  malware. 
But  seeurity  experts  eaution  that  imposing  sueh  polieies  eould 
impaet  eompetition  and  favor  large,  established  firms.  They 
also  indieate  that  additional  seeurity  risks  eould  be  generated 
in  building  surveillanee  and  eontrol  systems  that  might  also 
invite  abuse. 

Nevertheless,  ISPs  should  be  held  responsible  for  malieious 
aetivities  that  oeeur  within  their  systems.  Table  5  shows  that 
most  network  attaeks  originate  in  the  United  States.  US-based 
entities  also  own  a  large  pereentage  of  the  Internet  baekbone. 
But  US  Internet  businesses  appear  reluetant  to  invest  in  im¬ 
plementing  initiatives  that  eould  signifieantly  eurb  malieious 
aetivities  originating  in  US  networks.  An  exeeption  is  Comeast’s 
Web  notifieation  system  “used  to  provide  near -immediate  noti- 
fieations  to  eustomers,  sueh  as  to  warn  them  that  their  traffie 
exhibits  patterns  that  are  indieative  of  malware  or  virus  infee- 
tion.”^^  While  sueh  systems  are  good  indieators  that  the  indus¬ 
try  is  moving  forward  on  eyberseeurity,  more  proaetive  efforts 
are  needed  to  assure  that  malieious  software  does  not  infest 
their  eustomers’  eomputers. 


65 


Table  5.  Malicious  activity  by  source:  network  attack  origins,  2010-11 


2011 

2010 

Change 

Source 

Overall  Rank 

Percentage 

Overall  Rank 

Percentage 

United  States 

1 

21.1 

1 

19.3 

+1.8 

China 

2 

9.2 

2 

16.2 

-7.0 

India 

3 

6.2 

6 

3.9 

+2.3 

Brazil 

4 

4.1 

4 

4.4 

-0.3 

Germany 

5 

3.9 

3 

5.2 

-1.3 

Russia 

6 

3.2 

10 

2.3 

+0.9 

United  Kingdom 

7 

3.2 

5 

4.3 

-1.2 

Taiwan 

8 

3.0 

9 

2.6 

+0.5 

Italy 

9 

2.7 

8 

3.0 

-0.3 

Indonesia 

10 

2.4 

28 

0.7 

+1.7 

Adapted  from  “Threat  Activity  Trends,”  Symantec,  http://www.symantec.com/threatreport/topic 
.jsp?id=threat_activity_trends&aid=malicious_activity_by_source. 


Secure  Design  and  Implementation 

Secure  design  and  implementation  of  computer  technology 
are  perhaps  the  most  critical  factors  in  securing  the  cyber  com¬ 
mons.  Efforts  in  this  direction  are  being  made  with  the  re¬ 
design  of  future  networking  protocols  and  the  proper  imple¬ 
mentation  of  IPv6.  Design  of  software  and  hardware  for  secu¬ 
rity  is  crucial  to  dealing  with  existing  vulnerabilities  that  have 
resulted  from  poor  computer  programming.  But  there  is  a 
heavy  bias  against  regulatory  regimes  that  would  require  rigor¬ 
ous  testing  to  assure  securely  designed  and  coded  products. 
According  to  reports,  “technology  and  telecommunications 
companies  lobbied  hard  against  regulation,  arguing  that  the 
private  sector  is  better  qualified  to  develop  the  most  effective 
security  .  .  .  [and]  White  House  advisers  held  fast  to  their  philo¬ 
sophical  reluctance  to  regulate  free  markets  or  to  impose  in¬ 
dustry  standards  that  might  favor  one  sector  over  another. 
Operators  of  critical  infrastructure  systems  balk  at  sharing 
vulnerability  and  security  incident  information  with  the  gov¬ 
ernment,  fearing  disclosure  of  proprietary  information  through 
Freedom  of  Information  Act  requests.^® 


66 


US-based  software  entities,  hardware  manufaeturers,  and 
Web  sendee  providers  who  deliver  eonsumer  produets  must  be 
held  responsible  for  dealing  with  vulnerabilities  in  the  eyber 
eeosystem.  Likewise,  DOD-eontraeted  eommereial  hardware 
and  software  providers  must  provide  adequate  proteetions 
against  eompromise  of  their  produets.  A  requirement  to  deliver 
uneompromised  elassified  and  unelassified  systems,  sendees, 
or  produets  to  the  government  would  save  the  government 
money  and  the  lives  of  war  fighters.^® 

Notes 

1.  Krekel,  Adams,  and  Bakos,  Occupying  the  Information  High  Ground,  33. 

2.  Healey,  Beyond  Attribution,  4. 

3.  Shackelford,  “State  Responsibility  for  Cyber  Attacks.” 

4.  It  should  be  noted  that  the  stages  of  covert  activity  could  also  be  clas¬ 
sified  in  the  category  of  “short  of  war”;  however,  covert  action  requires  a 
presidential  finding.  The  processes  and  political  risks  involved  in  the  plan¬ 
ning  and  execution  of  covert  activity  are  beyond  the  scope  of  this  paper. 

5.  Reich  and  Yannakogeorgos,  Global  Norms,  American  Sponsorship,  and 
the  Emerging  Pattern  of  World  Politics. 

6.  International  Telecommunications  Union  (ITU),  ITU  Toolkit  for  Cyber¬ 
crime  Legislation,  2010,  http://www.itu.int/ITU-D/cyb/cybersecurity/docs 
/itu-toolkit-cybercrime-legislation.pdf. 

7.  The  White  House,  International  Strategy  for  Cyberspace,  Prosperity,  Security, 
and  Openness  in  a  Networked  World,  14. 

8.  Ibid. 

9.  Ibid. 

10.  Joint  Chiefs  of  Staff  (JCS),  National  Military  Strategy  of  the  United 
States  of  America,  15. 

11.  Shaud,  Air  Force  Strategy  Study  2020-2030,  15. 

12.  Schjolberg,  “Proposals  for  New  Legal  Mechanisms  on  Combating 
Cybercrime  and  Global  Cyberattacks.” 

13.  JCS,  National  Military  Strategy  of  the  United  States  of  America,  14. 

14.  Clarke  and  Knake,  Cyber  War.  Of  course,  these  are  Just  hypothetical 
scenarios.  Should  the  air  traffic  control  system  suffer  systemic  failure,  Clarke 
will  automatically  be  considered  a  hero.  Ringing  the  warning  bell  of  catastrophe 
when  disaster  strikes  is  a  surefire  way  to  gain  hero  status. 

15.  Llbicki,  Cyberdeterrence  and  Cyberwar. 

16.  For  an  example  of  a  counteranalysis  to  the  typical  accusations  of  Israeli 
or  US  involvements,  see  Yannakogeorgos,  “Was  Russia  behind  Stuxnet?” 

17.  Associated  Press,  “Iranian  Leader  Orders  Creation  of  Internet  Over¬ 
sight  Agency  in  Bid  to  Control  Web.” 

18.  Rowe  et  al.,  “Challenges  in  Monitoring  Cyberarms  Compliance.” 

19.  Ibid. 


67 


20.  Senate,  Bill  to  Enhance  the  Security  and  Resiliency  of  the  Cyber  and 
Communications  Infrastructure  of  the  United  States. 

21.  DOD,  Quadrennial  Defense  Review  Report,  12  February  2010,  37-39. 
See  also  National  Security  Council,  Nationcd  Security  Strategy  2010,  28. 

22.  Organization  for  Economic  Co-operation  and  Development,  Role  of 
Internet  Intermediaries  in  Advancing  Public  Policy  Objectives. 

23.  C.  Chung  et  al.,  “Comcast’s  Web  Notification  System  Design.” 

24.  Krlm,  “Cyber-Security  Strategy  Depends  on  Power  of  Suggestion.” 

25.  Yannakogeorgos,  “Privatized  Cybersecurity  and  the  Challenges  of 
Securing  the  Digital  Environment.” 

26.  1  am  grateful  to  Mr.  Lynn  Mattlce  for  this  observation. 


68 


Chapter  5 


Conclusion 

The  only  way  forward  in  creating  a  robust  network  of  global 
processes  and  policies  to  found  a  formal  international  agreement 
is  to  begin  by  holding  states  accountable  for  malicious  activities 
that  originate  in  or  transit  their  territories.  The  United  States 
should  not  shy  away  from  sponsoring  existing  international 
frameworks  and  the  emerging  institutions  such  as  IMPACT. 

Where  Do  We  Go  from  Here? 

Attributing  a  cyber  attack  to  a  state  requires  a  rapid  response 
to  the  event.  Unlike  law  enforcement,  different  standards  and 
technical  evidence  are  required  to  hold  states  accountable.  Ex¬ 
perts  have  suggested  that  the  high  standard  of  evidence  for 
criminal  prosecution  is  not  required  from  a  purely  legal  stand¬ 
point.  ^  Increasingly  the  technical  community  does  not  view  at¬ 
tribution  as  a  technical  problem. 

State  and  nonstate  actors  exploit  the  lack  of  international 
cooperation  and  laws  by  routing  their  multistage  attacks  via 
multiple  jurisdictions  to  camouflage  their  activities  and  identi¬ 
ties.^  The  White  House  strategy  recognizes  this  and,  in  its  clearest 
statement  of  a  norm  of  state  responsibility,  states  that  such 
international  cooperation  “is  a  responsibility  and  duty  that  every 
nation,  and  its  people,  all  share. This  statement  implies  that 
state  governments  should  be  held  responsible  for  actions  their 
citizens  take  within  cyberspace.  What  is  required  is  that  the 
United  States  begin  documenting  and  issuing  reports  on  each 
nation’s  efforts  to  both  create  and  enforce  legal  mechanisms 
within  their  countries  to  prosecute  cyber  crime  and  to  measure 
the  extent  of  cooperation  in  cyber  crime  investigations.  This 
would  require  a  framework  of  metrics  and  methodologies  that  will 
produce  reliable  reporting.  A  bevy  of  recent  cyber  policy  has 
documented  that  the  strengthening  of  international  partner¬ 
ships  for  cybersecurity  requires  knowledge  of  existing  gaps  in 
the  technical,  legal,  and  organizational  capabilities  of  our  inter¬ 
national  partners.^  Identifying  these  gaps  and  their  root  causes 


69 


will  provide  the  US  poliey  eommunity  with  the  knowledge  re¬ 
quired  to  support  our  partners  in  strengthening  their  national 
eyberseeurity,  thereby  invigorating  international  eooperation 
and  shaping  a  eyber  environment  that  is  less  hospitable  for 
malieious  aetors.  An  Air  Foree  effort  is  needed  to  utilize  its  ey¬ 
ber  skill  sets  to  provide  an  empirieally  based  approaeh  by  drill¬ 
ing  into  the  soeial  and  teehnieal  fabries  of  soeiety.  This  will  be 
useful  in  targeting  the  development,  diplomaey,  and  defense 
strategies  already  suggested. 

The  United  States  has  reeently  pursued  international  eyber 
polieies  aimed  at  promoting  international  eooperation  within  a 
politieo/ military  eontext.  Cyber  erime  attribution  is  often  eon- 
sidered  to  be  a  eomplex  teehnieal  problem,  and  too  often  the 
foeus  is  on  the  teehnieal  eomponents  of  eyberspaee.  Instead, 
the  emphasis  should  be  on  the  attributable  physieal  layer  of 
eyberspaee  tied  to  a  state’s  territory.  Onee  a  malieious  eyber 
ineident  or  event  is  diseovered,  states  should  be  responsible  to 
identify  the  perpetrators  and  eooperate  in  investigations.  If  not, 
then  the  government  should  be  held  eulpable  for  damages.  A 
poliey  tool  kit  modelled  on  the  antitraffieking-in-humans  pro- 
eesses  should  determine  responsibilities  and  responses.  With 
the  large  number  of  vietims  of  eyber  erime  worldwide,  the 
United  States  has  an  opportunity  to  deal  direetly  with  individ¬ 
ual  governments  on  the  issue — and  be  met  with  little  eritieism. 
This  sort  of  engagement  will  have  two  benefits.  First,  it  will  help 
ereate  legitimate  enforeement  meehanisms  for  the  global  eul- 
ture  of  eyberseeurity.  Seeond,  through  bilateral  engagements, 
the  United  States  would  be  leading  the  effort  in  ereating  a  bilateral 
treaty-based  entity.  This  is  mueh  like  the  International  Civil 
Aviation  Authority  is  today. 

Linking  It  All  Together 

David  Clark  and  Susan  Landau,  in  ‘The  Problem  Isn’t  Attri¬ 
bution,”  state  that  “solutions  to  preventing  the  attaeks  of  most 
eoneern,  multi-stage  multi -jurisdietional  ones,  will  require  not 
only  teehnieal  methods,  but  legal/poliey  solutions  as  well.”® 
Treaties  that  speeify  state  eyberspaee  aeeountability  and  obli¬ 
gations  to  assist  eorollaries  have  been  suggested.®  These  would 
be  most  desirable.  Multistage  and  multijurisdietional  attaeks 


70 


are  increasing,  and  negotiating  such  agreements  will  take  years 
if  not  decades.  An  alternative  approach  might  be  to  shift  toward 
policy  tools  that  would  allow  the  United  States  to  hold  states  re¬ 
sponsible  for  malicious  actions  within  their  sovereign  cyberspace. 

Cybersecurity  based  on  the  creation  of  global  norms  of  cyber 
behavior  has  been  proposed  without  specifying  what  the  norms 
should  look  like.  The  UN  and  the  COE  have  been  promulgating 
the  groundwork  of  international  norms  with  cooperation  from 
private  parties  within  multilateral  processes  such  as  the  World 
Summit  on  the  Information  Society  and  the  Internet  Gover¬ 
nance  Forum.  The  United  States  has  been  active  in  venues 
such  as  the  Organization  for  Economic  Cooperation  and  Devel¬ 
opment  in  developing  behavioral  norms  rather  than  the  ITU/ 
UN  forums.  Although  the  institutionalization  of  global  norms 
progresses,  the  United  States  has  been  missing  in  promoting 
and  enforcing  the  ITU/UN  norms  of  cyber  behavior.  The  pur¬ 
pose  of  this  study  was  to  determine  what,  if  any,  benefit  could 
be  accrued  from  the  US  engagement  with  the  UN/ITU  in  cyber - 
security.  A  United  States  hesitant  and  reluctant  to  engage  with 
the  global  bodies  has  frustrated  the  realization  of  global  norms 
of  cyber  behavior.  Securing  cyberspace  is  a  long  journey  that 
has  only  just  begun  and  will  not  end  soon.  With  malicious  ac¬ 
tivities  in  cyberspace  heightening  geopolitical  tensions,  it  seems 
that  these  tensions  will  prompt  new  ideas  and  strategies  on 
how  to  engage  great  powers  in  cyberspace,  while  shaping  the 
behavior  of  smaller  powers  to  assure  a  more  trusted  cyber  eco¬ 
system. 


Notes 

1.  Clark  and  Landau,  ‘The  Problem  Isn’t  Attribution,”  4.  Criminal  investi¬ 
gations  where  cyber  evidence  would  not  be  permissible  in  court  provide  law 
enforcement  authorities  other  leads,  such  as  money  trails,  that  eventually 
allow  for  the  apprehension  and  prosecution  of  a  suspect. 

2.  Ibid.,  39. 

3.  The  White  House,  International  Strategy  for  Cyberspace,  Prosperity,  Security, 
and  Openness  in  a  Networked  World,  8. 

4.  Department  of  Defense,  “Operate  Effectively  in  Cyberspace,”  37-39.  See 
also  National  Security  Council,  National  Security  Strategy,  2010,  28. 

5.  Clark  and  Landau,  “The  Problem  Isn’t  Attribution,”  1. 

6.  Clarke  and  Knake,  Cyber  War,  251-53.  See  also  Healey,  ‘The  Spectrum 
of  National  Responsibility  for  Cyberattacks.” 


71 


Abbreviations 


AFDD 

Air  Force  doctrine  document 

APEC 

Asia-Pacific  Economic  Cooperation 

ASEAN 

Association  of  Southeast  Asian  Nations 

ASP 

Active  Server  Pages 

AU 

African  Union 

C2 

command  and  control 

CERT 

computer  emergency  response  team 

CISC 

chief  information  security  officer 

CNITSEC 

China  Information  Technology  Security 
Certification  Center 

COE 

Council  of  Europe 

CSIRT 

computer  security  incident  readiness  team 

DHS 

Department  of  Homeland  Security 

DNS 

Domain  Name  System 

DOD 

Department  of  Defense 

DOJ 

Department  of  Justice 

DOS 

Department  of  State 

DPI 

deep  packet  inspection 

EU 

European  Union 

G-8 

Group  of  Eight 

GCC 

global  culture  of  cybersecurity 

ICS 

industrial  control  system 

ICT 

information  and  communication 
technology 

IEEE 

Institute  of  Electrical  and  Electronic 
Engineers 

IGF 

Internet  Governance  Forum 

IMF 

International  Monetary  Fund 

IMPACT 

International  Multilateral  Partnership 
against  Cyber  Threats 

IRC 

internet  relay  chat 

ISO 

International  Organization  for 
Standardization 

ISP 

Internet  service  provider 

IT 

information  technology 

ITU 

International  Telecommunications  Union 

JCS 

Joint  Chiefs  of  Staff 

JSP 

Java  Server  Pages 

73 


MAC 

media  access  control 

NGO 

nongovernmental  organization 

NISP 

National  Industrial  Security 
Program 

NSC 

National  Security  Council 

OAS 

Organization  of  American  States 

OECD 

Organization  for  Economic 
Cooperation  and  Development 

OEM 

original  equipment  manufacturer 

OSCE 

Organization  for  Security  and 
Cooperation  in  Europe 

OSI 

open  systems  interconnection 

PLA 

People’s  Liberation  Army 

PROTECT  Act 

Prosecutorial  Remedies  and  Other 
Tools  to  End  the  Exploitation  of 
Children  Today  Act 

PROTECT  IP  or  PIPA 

Preventing  Real  Online  Threats  to 
Economic  Creativity  and  Theft  of 
Intellectual  Property  Act 

SCADA 

supervisory  control  and  data 
acquisition 

SCAP 

Security  Content  Automation 
Protocol 

SECI 

Southeast  European  Cooperative 
Initiative 

SOPA 

Stop  Online  Piracy  Act 

TCP/IP 

transmission  control  protocol  / 
Internet  protocol 

TIP  Report 

Trafficking  in  Persons  Report 

TOR 

the  Onion  Router 

TVPA 

Trafficking  Victims  Protection  Act 

UN 

United  Nations 

UNGA 

United  Nations  General  Assembly 

UOF 

use  of  force 

WiFi 

wireless  fidelity 

WSIS 

World  Summit  on  the 

Information  Society 

WWW 

World  Wide  Web 

74 


Bibliography 


Air  Force  Doctrine  Document  3-12.  Cyberspace  Operations,  2010. 

Alperovitch,  Dimitri.  Revealed:  Operation  Shady  RAT,  White  Paper 
version  1.1.  McAfee,  2011.  http://www.mcafee.com/us 
/resources/white-papers /wp-operation-shady- rat.  pdf. 

“America  Will  Not  Tolerate  Slave  Traders,  Bush  Says.”  America  in 
Context,  http:  /  /usinfo.  org/wf-archive/2004/0407 1 6/epf507 
.htm. 

Areddy,  James.  “People’s  Republic  of  Hacking.”  Wall  Street 
Journal,  20  Feb  2010,  Al. 

Associated  Press.  “Iranian  Leader  Orders  Creation  of  Internet 
Oversight  Agency  in  Bid  to  Control  Web.”  Washington  Post, 
7  March  2012.  http://www.washingtonpost.com/world 
/middle_east/iranian-leader-orders-creation-of-internet 
-oversight-agency-in-bid-to-control-web/ 20 12/03/07 
/  gIQAlpYawR_story .  html . 

Barrett,  Barrington  M.,  Jr.  “Information  Warfare:  China’s  Re¬ 
sponse  to  U.S.  Technological  Advantages.”  International 
Journal  of  Intelligence  and  Counterintelligence  18,  no.  4  (21 
August  2006):  682-706. 

Brossard,  Jonathan,  and  Florentin  Demetrescu.  “Hardware 
Backdooring  Is  Practical.”  Hackito  Ergo  Sum,  7  March 
2012.  http -.1 12012. hackitoergosum. org/blog/ wp-content 
/uploads /201 2 /04/HES-2012-jbrossard_fdemetrescu 
-Hardware-Backdooring-is-pratical.pdf. 

Chung,  C.,  A.  Kasyanov,  J.  LMngood,  N.  Mody,  and  B.  Van  Lieu. 
“Comcast’s  Web  Notification  System  Design.”  The  Internet 
Engineering  Task  Force,  February  2011.  http://tools.ietf 
.  org/html/rfc6 1 08. 

Clark,  David.  Characterizing  Cyberspace:  Past,  Present  and  Fu¬ 
ture,  Version  1.2.  MIT  Computer  Science  and  Artificial  In¬ 
telligence  Laboratory,  12  March  2010.  http://web.mit 
.  edu/  ecir /pdf/  dark- cyberspace .  pdf. 

Clark,  David  D.,  and  Susan  Landau.  “The  Problem  Isn’t  Attribu¬ 
tion;  It’s  Multi-Stage  Attacks.”  MIT  Computer  Science  and  Ar¬ 
tificial  Intelligence  Laboratory,  Advanced  Network  Architec¬ 
ture,  30  November  2010.  http://groups.csail.mit.edu/ana 
/ANA%20PUBLICATIONS/The_Problem_isnt_Attribution.pdf 


75 


- .  “Untangling  Attribution.”  In  Proceedings  of  a  Workshop  on 

Deterring  Cyberattacks:  Irforming  Strategies  and  Developing 
Options  for  U.S.  Policy.  Washington,  DC:  National  Research 
Council,  The  National  Academies  Press,  2010.  http://www 
.nap.edu/openbook.php?record_id=12997&page=25. 

Clarke,  Richard  A.,  and  Robert  Knake.  Cyber  War:  The  Next 
Threat  to  National  Security  and  What  to  Do  about  It.  New 
York:  HarperCollins  Publishers,  2010. 

Clinton,  Hillary  Rodham  “Remarks  on  Internet  Freedom.” 
Department  of  State  (DOS),  21  Jan  2010.  http://www. 
state.gov/secretary/rm/20 10/01/ 135519.htm. 

Council  of  Europe.  Convention  on  Cybercrime,  2001.  http:// 
conventions. coe.int/Treaty/EN/Treaties/Html/ 185.htm. 

Denning,  Dorothy  E.,  and  Peter  J.  Denning,  eds.  Internet  Be¬ 
sieged:  Countering  Cyberspace  Scofflaws.  New  York:  ACM 
Press,  1998. 

Department  of  Commerce,  Internet  Policy  Task  Force.  Cyber-se¬ 
curity,  Innovation  and  the  Internet  Economy,  June  2011. 
http://www.nist.gov/itl/upload/Cybersecurity_Green 
-Paper_FinalVersion.pdf. 

Department  of  Defense  (DOD)  Instruction  5205.13.  Defense  In¬ 
dustrial  Base  (DIB)  Cyber  Security /Information  Assurance 
(CS/IA)  Activities,  29  January  2010.  http://www 
.dtic.mil/whs/directives/corres/pdf/520513p.pdf. 

- .  Department  of  Defense  Strategy  for  Operating  in  Cyberspace, 

July  2011.  http://www.defense.gov/news/d20110714cyber. 
pdf. 

- .  “Operate  Effectively  in  Cyberspace.”  In  Quadrennial  De¬ 
fense  Review  Report,  February  2010,  37-39.  https://acc.dau 
.mil/adl/en-US/34663 1  /file/48786/QDR%20Report%20 
Feb%202010.pdf. 

- .  Quadrennial  Defense  Review  Report,  12  February  2010. 

http :  /  /  WWW.  defense .  gov  /  qdr/  images  /  QDR_as 
_of_  1 2Feb  1 0_  1  OOO.pdf. 

Department  of  Homeland  Securliy.  Enabliiy  Distributed  Security  in 
Cyberspace:  Building  a  Healthy  and  ResUient  Cyber  Ecosystem 
with  Automated  Collective  Action,  23  Mar  2011.  http://www 
.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white 
-paper-03-23-201 1. pdf. 


76 


Department  of  Justiee.  Assessment  ofU.S.  Government  Efforts 
to  Combat  Trafficking  in  Persons  in  Fiscal  Year  2004,  2005. 
http://www.justiee.gov/arehive/ag/annualreports 
/tr2005/assessmentofustipaetivities.pdf. 

DOS.  Charter  and  Amendments:  Human  Smuggling  and  Traf¬ 
ficking  Center,  9  July  2004.  http://www.state.gOv/m/ds 
/hsteenter/4 1444.htm. 

- .  Workir^  for  Women,  Worldwide:  The  U.S.  Commitment, 

2005.  http://usinfo.state.gov/produets/pubs/women/eombat 
.htm. 

Exeeutive  Offiee  of  the  President,  National  Seienee  and  Teeh- 
nology  Couneil.  Trustworthy  Cyberspace:  Strategic  Plan  for 
the  Federal  Cybersecurity  Research  and  Development  Pro¬ 
gram,  Deeember  2011.  http://www.whitehouse.gov/sites 
/default/ files /mierosites/ostp/fed_eyberseeurity 
_rd_strategie_plan_20 1 1 . 

Federal  Bureau  of  Investigation.  “Manhattan  U.S.  Attorney  and  FBI 
Assistant  Director  in  Charge  Annoimce  Additional  Arrests  as 
Part  of  International  Cyber  Crime  Takedown,”  11  July  2012. 
http:  /  /www.  fbi.gov/newyork/ press-releases/ 20 12 
/manhattan-u.s.-attorney-and-fbi-assistant-director-in 
-charge-announce-additional-arrests-as-part-of-international 
-cyber-crime-takedown/ . 

Federal  Communications  Commission,  Reliability  and  Inter¬ 
operability  Council,  Working  Group  8,  Communications 
Security.  Final  Report:  Internet  Service  Provider  (ISP)  Net¬ 
work  Protection  Practices,  December  2010.  http: //transi¬ 
tion.  fcc.gov/pshs/docs/csric/CSRlC_WG8_FlNAL 
_REPORT_lSP_NETWORK_PROTECTlON_20 101213.  pdf. 

Finnemore,  Martha,  and  Kathryn  Sikkink.  “International  Norm 
Dynamics  and  Political  Change.”  International  Organiza¬ 
tion  52  (Autumn,  1998):  887-917. 

Gady,  Franz-Stefan.  “Africa’s  Cyber  WMD  [weapons  of  mass 
destruction].”  Foreign  Policy.com,  24  Mar  2010.  http:// 
WWW.  foreignpolicy .  com/  articles  /2010/03/24/  africas_cyber 
wmd. 


77 


Ghernouti-Helie,  Solange.  A  National  Strategy  for  an  Effective 
Cybersecurity  Approach  and  Culture.  Presentation  at  the 
International  Conferenee  on  Availability,  Reliability  and 
Seeurity,  Krakow,  Poland,  15-18  February  2010.  http:// 
www.eomputer.org/portal/web/esdl/doi/  10. 1 109 
/ARES.2010.119. 

Grey  Logie.  Project  Grey  Goose  Report  on  Critical  Infrastructure: 
Attacks,  Actors  and  Emerging  Threats,  21  January  2010. 
http://dataelonelabs.eom/seeurity_talkworkshop 
/papers/2555009 1-Proj-Grey-Goose-report-on-Critieal 
-Infrastrueture-Attaeks-Aetors-and-Emerging-Threats.pdf. 

Gross,  Grant.  “ISPs:  No  New  Cyberseeurity  Regulations  Needed.” 
JT  World,  7  Mar  2012.  http://www.itworld.eom/network 
ing/256662/isps-no-new-eyberseeurity-regulations 
-needed. 

Grow,  Brian,  Keith  Epstein,  and  Chi-Chu  Tsehang.  ‘The  New  E- 
Spionage  Threat:  A  Business  Week  Probe  of  Rising  Attaeks 
on  Ameriea’s  Most  Sensitive  Computer  Networks  Uneovers 
Startling  Seeurity  Gaps.”  Business  Week,  21  Apr  2008. 
http://www.businessweek.eom/stories/2008-04-09/the 
-new-e-spionage-threat. 

Harrison,  Keith,  and  Gregory  White.  “A  Taxonomy  of  Cyber 
Events  Affeeting  Communities.”  In  Proceedings  of  the  201 1 
44th  Hawaii  International  Conference  on  System  Sciences, 
1-9.  Washington,  DC:  IEEE  Computer  Soeiety  Conferenee 
Publishing  Serviees,  2011. 

Healey,  Jason.  Beyond  Attribution:  A  Vocabulary  for  National 
Responsibility  for  Cyber  Attacks.  Vienna,  VA:  Cyber  Con- 
fliet  Studies  Assoeiation,  2010. 

- .  ‘The  Speetrum  of  National  Responsibility  for  Cyber  At¬ 
taeks.”  Brown  Journal  of  World  Affairs  18,  no.  1,  (Fall/Winter 
2011):  57-70. 

Information  Warfare  Monitor  and  Shadowserver  Foundation. 
Shadows  in  the  Cloud:  Investigating  Cyber  Espionage  2.0, 
April  2010.  http://shadows-in-the-eloud.net/. 

International  Teleeommunieations  Union  (ITU).  ITU/ IMPACT 
Country  Readiness  Assessment  to  Establish  a  National  CIRT. 
http://www.itu.int/ITU-D/eyb/eyberseeurity/does 
/CIRT_%20Assessment04 1011  -final.pdf. 


78 


- .  rru  Toolkit  for  Cybercrime  Legislation,  2010.  http:// 

www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-toolkit 

-cybercrime-legislation.pdf. 

Joint  Chiefs  of  Staff.  National  Military  Strategy  for  Cyberspace 
Operations.  Washington,  DC:  DOD,  2006.  http://www 
.dod.mil/pubs/foi/joint_staff/jointStaff 
_j  ointOperations/07-F-2 1  OSdoc  1  .pdf. 

- .  The  National  Military  Strategy  of  the  United  States  of 

America:  2011,  Redefining  America’s  Military  Leadership,  8 
February  2011. http://www. jes.mil/eontent 
/files  /  201 1-02/02081 1084800_201  l_NMS_-_08 
_FEB_2011.pdf. 

Kanuck,  Sean.  “Sovereign  Diseourse  on  Cyber  Confliet  under  Inter¬ 
national  Law.”  Texas  Law  Review  88  (June  2010):  1571-97. 

Killereee,  Georgia.  Steps  for  Creating  National  CSIRTs.  Pittsburg, 
PA:  Carnegie  Mellon  Software  Engineering  Institute,  2004. 
http :  /  /  WWW.  eert.  org/  arehive  /pdf/NationalCSlRT  s .  pdf. 

Krekel,  Bryan,  Patton  Adams,  and  George  Bakos.  Occupying  the 
Information  High  Ground:  Chinese  Capabilities  for  Computer 
Network  Operations  and  Cyber  Espionage.  Northrop  Grum¬ 
man  Corp.,  7  Mareh  2012.  http://www.usee.gov/RFP/2012 
/USCC%20Report_Chinese_CapabilitiesforComputer 
_NetworkOperationsandCyberEspionage .  pdf 

Krim,  Jonathan.  “Cyber-Seeurity  Strategy  Depends  on  Power 
of  Suggestion.”  Washington  Post,  15  Feb  2003,  EOl.  http:// 
WWW.  washingtonpost.  eom/ae2/wp-dyn/Al  02  74 
-2003Feb  14?language=printer. 

Lebow,  Riehard  Ned.  “Power,  Persuasion  and  Justiee.”  Millen¬ 
nium:  Journal  of  International  Studies  33,  no.  3  (1  June 
2005):  551-81. 

Leighton,  Tom.  “The  Net’s  Real  Seeuriiy  Problem.”  Scientific  Ameri¬ 
can.  https:  //www.seientifieameriean.eom/artiele.efm?id=the 
-nets-real-seeuriiy-pr. 

Libieki,  Martin  C.  Cyberdeterrence  and  Cyberwar.  Santa  Moniea, 
CA:  RAND  Corporation,  2009. 

Lin,  Herbert.  “Esealation  Dynamies  and  Confliet  Termination 
in  Cyberspaee.”  Strategic  Studies  Quarterly  6  no.  3  (Fall 
2012):  46-70. 


79 


Lipson,  Howard  F.  Tracking  and  Tracing  Cyber-Attacks:  Technical 
Challenges  and  Global  Policy  Issues,  special  report  no.  CMU/ 
SEI-2002-SR-009.  Pittsburgh,  PA:  Software  Engineering  In¬ 
stitute,  Carnegie  Mellon  University,  2002. 

Mandiant.  “Advanced  Persistant  Threat  1:  Exposing  One  of  China’s 
Cyber  Espionage  Units,”  February  2013.  http://intelreport 
.mandiant.com/Mandiant_APTl_Report.pdf 

Microsoft  Corporation.  “China  Information  Technology  Secu¬ 
rity  Certification  Center  Source  Code  Review  Lab  Opened,” 
26  Sept  2003.  http://www.microsoft.com/presspass 
/press/2003/sep03/09-26gspchpr.mspx. 

- .  European  Telecom  Uses  Microsoft  Security  Data  to  Remove 

Botnet  Devices  ftom  Network  13  Mar  2012.  http://www 
.microsoft.com/casestudies/Microsoft-Lync-Server /Telia 
Sonera/European -Telecom-Uses-Microsoft-Security-Data 
-to-Remove-Botnet-Devices-from-Network/7 10000000 132. 

Miko,  Francis  T.  Trafficking  in  Persons:  The  U.S.  and  Inter¬ 
national  Response.  Washington,  DC:  Congressional  Re¬ 
search  Service,  19  January  2006. 

Molyneux,  Robert  E.  The  Internet  under  the  Hood:  An  Introduc¬ 
tion  to  Network  Technologies  for  Information  Professionals. 
Westport,  CT:  Libraries  Unlimited,  2003. 

National  Securiiy  Council.  Comprehensive  National  Cybersecurity  Initia¬ 
tive.  http:  /  /www.whitehouse.gov/cybersecuriiy/comprehensive 
-national-cybersecurity-initiative. 

- .  National  Security  Strategy,  2010,  May  2010.  http://www 

.whitehouse.gov/sites/default/files/rss_viewer/national 
_security_strategy .  pdf 

Nelson,  Bill,  Rodney  Choi,  Michael  lacobucci,  Mark  Mitchell, 
and  Greg  Gagnon.  Cyberterror:  Prospects  and  Implications. 
Monterey,  CA:  Center  for  the  Study  of  Terrorism  and  Ir¬ 
regular  Warfare,  US  Naval  Postgraduate  School,  1999. 
http://www.nps.edu/Academics/Centers/CTIW/files 
/Cyberterror%20Prospects%20and%20Implications.pdf. 

Onley,  Dawn  S.,  and  Patience  Wait.  “Red  Storm  Rising:  DOD’s 
Efforts  to  Stave  Off  Nation-State  Cyberattacks  Begin  with 
China.”  Government  Computer  News,  21  Aug  2006. 


80 


Organization  for  Economic  Co-operation  and  Development 
(OECD).  The  Role  of  Internet  Intermediaries  in  Advancing  Pub¬ 
lic  Policy  Olyectives.  Paris:  OECD  Publishing,  2011.  http:// 
www.oeed-ilibrary.org/the-role-of-internet-intermediaries 
-in-advaneing-publie-poliey-objeetives_5kgdp5mpxgxqpdf;jse 
ssionid  =  57i4941o6ebe6.delta?eontentType  =  /ns 
/Book&itemld  =  /eontent/book/9789264  115644 
-en&eontainerltemld= /  eontent/book/9 789264 1 1 5644-en 
&aeeessltemlds=&mimeType=applieation/pdf. 

Parks,  Raymond  C.,  and  David  P.  Duggan.  “Prineiples  of  Cyber- 
Warfare.”  In  Proceedings  of  the  2001  IEEE  Workshop  on  In¬ 
formation  Assurance  and  Security,  United  States  Military 
Aeademy,  West  Point,  NY,  5-6  June  2001,  122-25.  http:// 
eiteseerx.ist.psu.edu/viewdoe/download?doi=10. 1. 1.63. 1 
47 8&rep=rep  1  &type=pdf. 

Reieh,  Simon,  and  Panayotis  Yannakogeorgos.  “George  Bush 
and  the  Sponsoring  of  the  Anti-Traffieking  Norm:  A  Rare 
Sueeess  Story.”  In  Global  Norms:  American  Sponsorship 
and  the  Emerging  Pattern  of  World  Politics,  edited  by  Simon 
Reieh  and  Panayotis  Yannakogeorgos,  178-205.  New  York: 
Palgrave  2010. 

- .  Global  Norms:  American  Sponsorship,  and  the  Emerging 

Pattern  of  World  Politics.  New  York:  Palgrave  2010. 

Rowe,  Neil  C.,  Simson  L.  Garflnkel,  Robert  Beverly,  and  Panayotis 
Yannakogeorgos.  “Challenges  in  Monitoring  Cyberarms 
Complianee.”  International  Journal  of  Cyber  Warfare  and 
Terrorism  1  (2011):  2-14. 

- .  “Steps  towards  Monitoring  Cyberarms  Complianee.”  In 

Proceedings  of  the  1 0th  European  Conference  on  Informa¬ 
tion  Warfare  and  Security.  Tallinn,  Estonia:  Tallinn  Univer¬ 
sity  of  Teehnology,  July  2011,  221-27.  http://faeulty.nps 
.edu/nerowe/rowe_eeiwl  1  .htm. 

Sandoval,  Greg.  ‘Top  ISPs  Agree  to  Beeome  Copyright  Cops.” 
CNET News.com,  7  July  2011.  http://news.enet.eom/8301 
-31001_3-20077492-261/top-isps-agree-to-beeome-eopy 
right-eops. 


81 


Schjolberg,  Stein.  “Proposals  for  New  Legal  Meehanisms  on 
Combating  Cybererime  and  Global  Cyberattaeks:  An  Inter¬ 
national  Criminal  Court  or  Tribunal  for  Cyberspaee  (ICTC).” 
A  paper  for  tbe  EastWest  Institute  Cybererime  Legal  Work¬ 
ing  Group,  May  2011.  bttp://www. eybererimelaw.net 
/doeuments/International_Criminal_Court_or_Tribunal 
_for_Cyberspaee_(ICTC) .  pdf. 

Senate.  A  Bill  to  Enhance  the  Security  and  Resiliency  of  the  Cyber 
and  Communications  Infrastructure  of  the  United  States. 
112tb  Congress,  2nd  sess.,  2012,  S  3414. 

Sbaekelford,  Scott  J.  “State  Responsibility  for  Cyber  Attacks: 
Competing  Standards  for  a  Growing  Problem.”  Depart¬ 
ment  of  Politics  and  International  Studies,  University  of 
Cambridge .  bttp : / /irps . ucsd.edu/ assets /001/501281. pdf. 

Sbaud,  Jobn  A.  Air  Force  Strategy  Study  2020-2030.  Maxwell 
AFB,  AL:  Air  University  Press,  2010. 

TeliaSonera.  TeliaSonera’s  Response  to  the  European  Commis¬ 
sion  Consultation  on  Net  Neutrality  and  the  Open  Internet, 
30  September  2010. 

“Tbougb  Obama  Viewed  Positively,  StiU  Much  Criticism  of  US  For¬ 
eign  Policy:  Global  Poll.”  World  Public  OpiniorLorg,  7  July  2009. 
http:  /  /  WWW.  worldpublicopinion.  org/pipa/  articles  /views_ 
on_countriesregions_bt/623.php?nid=&id=&pnt=623&lb=. 

United  Nations  (UN).  Responsibility  of  States  for  Internationally 
Wrongful  Acts,  2001.  http://untreaty.un.org/ilc/texts 
/instruments/english/draft%20articles/9_6_200 1  .pdf. 

UN  Commission  on  the  Status  of  Women.  “Eliminating  Demand 
for  Trafficked  Women  and  Girls  for  All  Forms  of  Exploita¬ 
tion,”  Resolution  49/2,  March  2008.  http://www 
.humantrafficking.org/uploads/updates/csw_tip_res 
_adopted_031 105.doc. 

UN  Department  of  Economic  and  Social  Affairs.  Cybersecurity:  A 
Global  Issue  Demanding  a  Global  Approach,  12  December  2011. 
http://www.un.org/en/development/desa/news/ecosoc 
/cybersecurity-demands-global-approach.html. 

UN  Economic  Commission  for  Europe  (UNECE).  The  Informa¬ 
tion  Society  in  Europe  and  North  America:  Contributions 
from  the  UNECE  to  the  WSIS  Prep  Com  2,  December  2002. 


82 


UN  General  Assembly.  “Combating  the  Criminal  Misuse  of  Infor¬ 
mation  Teehnologies,”  A/RES/56/ 121,  23  January  2002. 
http://www.itu.int/lTU-D/eyb/eyberseeurity/does/UN 
_resolution_56_  121  .pdf. 

- .  “Creation  of  a  Global  Culture  of  Cyberseeurity,”  A/ 

RES/57/239,  31  January  2003.  http://www.itu.int/lTU-D 
/eyb/eyberseeurity/does/UN_resolution_57  _239.pdf. 

- .  “Creation  of  a  Global  Culture  of  Cyberseeurity  and  Tak¬ 
ing  Stoek  of  National  Efforts  to  Proteet  Critieal  Information 
Infrastruetures,”  A/RES/64/211,  17  Mar  2010.  http:// 
daeeess-ods.un.  org/aeeess.nsf/Get?Open&DS=A 
/RES/64/21  l&Lang=E. 

- .  “Creation  of  a  Global  Culture  of  Cyberseeurity  and  the 

Proteetion  of  Critieal  Information  Infrastruetures,”  A/ 
RES/58/ 199,  30  January  2004.  http://www.itu.int/ITU-D 
/eyb/eyberseeurity/does/UN_resolution_58_199.pdf. 

- .  “Developments  in  the  Field  of  Information  and  Teleeom- 

munieations  in  the  Context  of  International  Seeurity,”  A/ 
RES/56/ 19,  29  November  2001.  http://daeeess-ods.un. 
org/aeeess.nsf/Get?Open&DS=A/RES/60/45&Lang=E. 

- .  “Developments  in  the  Field  of  Information  and  Teleeom- 

munieations  in  the  Context  of  International  Seeurity,”  A/ 
RES/60/45,  6  January  2006.  http://www.worldlii.org 
/int/other/UNGARsn/200 1  /8 1  .pdf. 

- .  Group  of  Governmental  Experts  on  Developments  in  the 

Field  of  Information  and  Telecommunications  in  the  Context 
of  International  Security,  30  July  2010.  http://www.unidir 
.org/pdf/aetivites/pdf5-aet483.pdf. 

Ungerleider,  Nearl.  “The  Chinese  Way  of  Haeking.”  Fast  Company, 
13  July  2011.  http://www.fasteompany.eom/1766812 
/ehinese-way-haeking. 

United  States-China  Eeonomie  and  Seeurity  Review  Commission. 
“Oeeupying  the  Information  High  Ground:  Chinese  Capabili¬ 
ties  for  Computer  Network  Operations  and  Cyber  Espionage.” 
http :  /  / WWW. usee. gov/RFP  / 20  12/USCC%20Re 
port_Chinese_CapabilitiesforComputer_NetworkOperation 
sandCyberEspionage.pdf. 

Waldrop,  Miteh.  “DARPA  and  the  Internet  Revolution.”  Defense  Ad- 
vaneed  Researeh  Projeets  Ageney.  www.darpa.mil/WorkArea 
/DownloadAsset.aspx?id=2554. 


83 


Westby,  Jody  R.  “Conclusion.”  In  The  Quest  for  Cyber  Peaee, 
edited  by  Hamadoun  I.  Toure.  ITU,  January  2011,  1 12-1 13. 
http :  /  / WWW. itu .  int/dms_pub/itu-s/opb/gen 
/S-GEN-WFS.01-1-2011-PDF-E  .pdf. 

- .  “US  Administration’s  Reekless  Cyber  Poliey  Puts  Nation  at 

Risk.”  Forbes,  6  June  2012.  http://www.forbes.eom/sites 
/jodywestby/2012/06/04/u-s-administrations-reekless 
-eyber-poliey-puts-nation-at-risk/. 

White  House.  Administration  Strategy  on  Mitigating  the  Theft  of 
U.S.  Trade  Seerets,  20  February  2013.  http: //www. white- 
house,  gov/ /sites /default /files /omb/lPEC/ admin 
_strategy_on_mitigating_the_theft_of_u.s._trade_seerets.pdf. 

- .  International  Strategy  for  Cyberspace,  Prosperity,  Secu¬ 
rity,  and  Openness  in  a  Networked  World,  May  2011. 
http://www.whitehouse.gov/sites/default/files/rss 
_viewer/international_strategy_for_eyberspaee.pdf. 

World  Summit  for  the  Information  Soeiety  (WSIS).  Declaration 
of  Principles.  Deeember  2003,  http://www.itu.int/wsis 
/  does  /geneva/offieial/  dop.  html. 

WSIS.  Plan  of  Action,  Deeember  2003.  http://www.itu.int 
/wsis/does/geneva/offieial/poa.html. 

- .  Tunis  Agenda  for  the  Information  Society,  November  2005. 

http://www.itu.int/wsis/does2/tunis/off/6revl  .html. 

Yannakogeorgos,  Panayotis.  “Cyberspaee:  The  New  Frontier  and 
the  Same  Old  Multilateralism.”  In  Global  Norms:  American 
Sponsorship  and  the  Emerging  Pattern  of  World  Politics,  edited 
by  Simon  Reieh  and  Panayotis  Yannakogeorgos,  147-77. 
New  York:  Palgrave  2010. 

- .  “Privatized  Cyberseeurity  and  the  Challenges  of  Seeur- 

ing  the  Digital  Environment.”  In  Crime  and  Terrorism  Risk: 
Studies  in  Criminology  and  Criminal  Justice,  edited  by  Leslie 
W.  Kennedy  and  Edmund  F.  MeGarrell,  255-67.  New  York: 
Routledge,  2011. 

- .  “Promises  and  Pitfalls  of  the  Private  Publie  Partnership 

Model.”  In  Crime  and  Terrorism  Risk:  Studies  in  Criminology 
and  Criminal  Justice,  edited  by  Leslie  W.  Kennedy  and 
Edmund  F.  MeGarrell,  255-67.  New  York:  Routledge,  2011. 

— - .  “Was  Russia  behind  Stuxnet?”  The  Diplomat,  10  Deeem¬ 

ber  201 1.  http://the-diplomat.eom/201  II 12!  10/was-russia 
-behind-stuxnet/ . 


84 


Yannakogeorgos,  Panayotis,  and  Lynn  Mattice.  Essential  Ques¬ 
tions  for  Cyber  Policy:  Strategically  Using  Global  Norms  to 
Resolve  the  Cyber  Attribution  Challenge.  Maxwell  AFB,  AL: 
Air  University  Press,  2011. 

Zanini,  Miehele,  and  Sean  J.  A.  Edwards.  “The  Networking  of 
Terror  in  the  Information  Age.”  In  Networks  and  Netwars, 
edited  by  John  Arquilla  and  David  Ronfeldt,  29-60.  Santa 
Moniea,  CA:  RAND  Corporation,  2001. 

Zetter,  Kim.  “Rogue  Nodes  Turn  Tor  Anonymizer  into  Eaves¬ 
dropper’s  Paradise.”  Wired,  10  September  2007.  http:// 
www.wired.eom/polities/seeurity /news/ 2  00  7/ 09 
/embassy_haeks?eurrentPage=  1 . 


85 


Strategies  for  Resolving  the  Cyber 
Attribution  Challenge 

Commander  and  President,  Air  University 

Lt  Gen  David  S.  Fadok 

Director,  Air  Force  Research  Institute 

Lt  Gen  Allen  G.  Peek,  USAF,  Retired 


Air  University  Press  Team 

Chief  Editor 
James  S.  Howard 

Copy  Editor 
Carolyn  Burns 

Cover  Art  and  Book  Design 
Daniel  Armstrong 

Illustrations 
Daniel  Armstrong 

Composition  and  Prepress  Production 
Nedra  O.  Looney 

Print  Preparation  and  Distribution 
Diane  Clark 


